flow generation with dropped packets

John T. Myers myersj0 at gmail.com
Mon Oct 27 09:48:17 EDT 2014


Carter,

Thanks! So does Argus try and calculate number of packets dropped based off of sequence numbers not-seen, etc? 

For instance, for a TCP session, if Argus sees the full TCP handshake, it will generate a flow w/ the ‘CON’ state, but then during data transfer, some packets are dropped (say due to network issues), Argus will calculate how many packets weren’t collected and then the ‘bytes' field will also just be lower?

John

On October 25, 2014 at 5:39:44 PM, Carter Bullard (carter at qosient.com) wrote:

Hey John,
Yes, it will report on all the flows that it sees, and it will report the number
of packets that it didn’t see, whether that was because of loss in the network
or loss in the collection methods.

Carter

On Oct 25, 2014, at 12:43 PM, John T. Myers <myersj0 at gmail.com> wrote:

Hi,

Will Argus still generate flows even if some of the packets in the session are not collected b/c they get dropped? For instance, port mirroring may drop some packets due to link saturation, so the Argus interface may not get every packet in the session, but perhaps enough to at least generate a flow?

I know a TAP is a solution to avoid dropped packets, but I am using Argus to collect intra-subnet and intra-VLAN traffic which a TAP cannot necessarily support.

Thanks!
John

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141027/3926cbf0/attachment.html>


More information about the argus mailing list