flow generation with dropped packets

Carter Bullard carter at qosient.com
Mon Oct 27 10:45:32 EDT 2014 

Hey John,
Play with it a while, and you’ll see that argus will generate flows regardless of the protocol, state, number of packets received, etc… It is designed to show you what was on the wire.

Metrics like bytes, pkts, are what was seen on the wire.   Attributes like loss are derived from sequence number, or pseudo sequence number tracking.

A flows reported state is based on an abstract model of network connectivity.
We derive the state regardless of protocol state, as there are lots of scenarios
where argus doesn’t see all the packets, loss, load balancing, asymmetric routing
etc …, but we still need to report on the flow state.  These values should be
well documented ???  Check out the man page for ra.1.

Carter


On Oct 27, 2014, at 9:48 AM, John T. Myers <myersj0 at gmail.com> wrote:

> Carter,
> 
> Thanks! So does Argus try and calculate number of packets dropped based off of sequence numbers not-seen, etc? 
> 
> For instance, for a TCP session, if Argus sees the full TCP handshake, it will generate a flow w/ the ‘CON’ state, but then during data transfer, some packets are dropped (say due to network issues), Argus will calculate how many packets weren’t collected and then the ‘bytes' field will also just be lower?
> 
> John
> 
> On October 25, 2014 at 5:39:44 PM, Carter Bullard (carter at qosient.com) wrote:
> 
>> Hey John,
>> Yes, it will report on all the flows that it sees, and it will report the number
>> of packets that it didn’t see, whether that was because of loss in the network
>> or loss in the collection methods.
>> 
>> Carter
>> 
>>> On Oct 25, 2014, at 12:43 PM, John T. Myers <myersj0 at gmail.com> wrote:
>>> 
>>> Hi,
>>> 
>>> Will Argus still generate flows even if some of the packets in the session are not collected b/c they get dropped? For instance, port mirroring may drop some packets due to link saturation, so the Argus interface may not get every packet in the session, but perhaps enough to at least generate a flow?
>>> 
>>> I know a TAP is a solution to avoid dropped packets, but I am using Argus to collect intra-subnet and intra-VLAN traffic which a TAP cannot necessarily support.
>>> 
>>> Thanks!
>>> John

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141027/bdfa2ed7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141027/bdfa2ed7/attachment.sig>

More information about the argus mailing list