Errors in gap detection
elof2 at sentor.se
elof2 at sentor.se
Wed Oct 22 09:39:11 EDT 2014
Hi Carter!
FYI, the gap detection counters still show some wonky numbers in 3.0.8.
ra -Zb -s flgs spkts dpkts state:13 sgap dgap -nr gaps.argus - tcp | grep g
Normal and OK gaps show up like this:
Flgs SrcPkts DstPkts State SrcGap DstGap
e g 15 24 PA_PA 0 458
e g 3 3 PA_PA 0 284
e g 5 6 PA_PA 0 732
e g 129 284 PA_PA 0 1367
e g 66 94 PA_PA 0 1367
e g 2 2 PA_PA 0 801
...but here and there I get lines like this:
e g 7 6 FSPA_FSPA 3051561* 8894044*
e g 7 6 FSPA_FSPA 1142343* 8891853*
e g 7 6 FSPA_FSPA 98000397 7385371*
e g 6 4 FSPA_FSPA 59208794 6255514*
e g 20 20 FSPA_FSPA 3468512* 65538
e g 20 20 FSPA_FSPA 3468512* 65538
e g 5 6 SPA_SPA 2562525* 9087142*
e g 7 6 FSPA_FSPA 68629719 5826434*
e g 7 6 FSPA_FSPA -214748* 5815425*
e g 7 6 FSPA_FSPA -214748* 1919818*
e g 17 24 FSPA_FSPA 3167486* 2765698*
This doesn't look as nice.
I tcpdump:ed traffic to pcap while argus created its logfile.
I analysed two flows showing gaps, one normal with "0 1367" gaps and
one wonky with "11274535 1767532*" gaps.
Wireshark analysis of the "normal flow" show identical numbers as argus;
0 gaps from src and 1367 bytes (one packet) missing (in mid-stream) from
dst.
Good.
Wireshark analysis of a "wonky" flow show no errors! No complaints at all
from Wireshark (including its Expert Info). No "previous segment not
captured" and no "ACKed unseen segment".
Everything looks good in the pcap.
I can't find any reason as to why argus create those wonky numbers.
Oh, well, I don't use the gaps fields very often, so for me this is not
important. I just thought I'd let you know.
/Elof
More information about the argus
mailing list