Errors in gap detection
Carter Bullard
carter at qosient.com
Wed Oct 22 13:28:28 EDT 2014
Can you send the pcap file ?? Does argus generale the crazy
numbers with this file ???
Carter
> On Oct 22, 2014, at 9:39 AM, elof2 at sentor.se wrote:
>
>
> Hi Carter!
>
> FYI, the gap detection counters still show some wonky numbers in 3.0.8.
>
> ra -Zb -s flgs spkts dpkts state:13 sgap dgap -nr gaps.argus - tcp | grep g
>
> Normal and OK gaps show up like this:
> Flgs SrcPkts DstPkts State SrcGap DstGap
> e g 15 24 PA_PA 0 458
> e g 3 3 PA_PA 0 284
> e g 5 6 PA_PA 0 732
> e g 129 284 PA_PA 0 1367
> e g 66 94 PA_PA 0 1367
> e g 2 2 PA_PA 0 801
>
> ...but here and there I get lines like this:
> e g 7 6 FSPA_FSPA 3051561* 8894044*
> e g 7 6 FSPA_FSPA 1142343* 8891853*
> e g 7 6 FSPA_FSPA 98000397 7385371*
> e g 6 4 FSPA_FSPA 59208794 6255514*
> e g 20 20 FSPA_FSPA 3468512* 65538
> e g 20 20 FSPA_FSPA 3468512* 65538
> e g 5 6 SPA_SPA 2562525* 9087142*
> e g 7 6 FSPA_FSPA 68629719 5826434*
> e g 7 6 FSPA_FSPA -214748* 5815425*
> e g 7 6 FSPA_FSPA -214748* 1919818*
> e g 17 24 FSPA_FSPA 3167486* 2765698*
>
> This doesn't look as nice.
>
>
>
>
>
> I tcpdump:ed traffic to pcap while argus created its logfile.
> I analysed two flows showing gaps, one normal with "0 1367" gaps and one wonky with "11274535 1767532*" gaps.
>
> Wireshark analysis of the "normal flow" show identical numbers as argus; 0 gaps from src and 1367 bytes (one packet) missing (in mid-stream) from dst.
> Good.
>
> Wireshark analysis of a "wonky" flow show no errors! No complaints at all from Wireshark (including its Expert Info). No "previous segment not captured" and no "ACKed unseen segment".
> Everything looks good in the pcap.
> I can't find any reason as to why argus create those wonky numbers.
>
>
> Oh, well, I don't use the gaps fields very often, so for me this is not important. I just thought I'd let you know.
>
> /Elof
>
More information about the argus
mailing list