pause (or ssilence and dsilence)

elof2 at sentor.se elof2 at sentor.se
Tue Jun 16 11:36:52 EDT 2015 

Hi Carter!

Could the following feature be added to ra:

Say you have a tcp flow (e.g. smtp) that send some packets (EHLO, 
banner, MAIL, RCPT, DATA, etc). Then it pause for 45 seconds. Then it 
continues with a new MAIL, RCPT, etc. It keeps doing this with various 
pauses between the mails until hours later it is FINished.

In this traffic between A and B, I would like to see how long those pauses 
are. Something like this:
           sport      dport state   pause
12:00:00 A:32123 -> B:25 SPA_SPA   0.0
12:00:45 A:32123 -> B:25  PA_PA    44.35
12:05:00 A:32123 -> B:25   A_A     254.1

...where pause (or whatever you want to call it) is simply:
stime minus ltime from the row before.


That's it really.
A "dumb" field that simply display the pause between records (rows) 
displayed on screen so I don't have to use a calculator and manually 
subtract and calculate the difference.




If you want to do it a bit more complex, you could have two fields, in the 
same manner as wireshark has capture filters and display filters:
ra could distinguish between 'displayed' pauses and pauses 
within the 'flow'.

rpause - pause between printed records on screen
   rpause = stime minus ltime from the row before.

fpause - pause since the last record for this particular flow
   fpause = stime minus ltime from the previous record within this flow.


Example:
When line 4 is to be printed, we have a NTP-packet in line 3 which would 
set the pause to 134.1 seconds.

           sport      dport state   pause
12:00:00 A:32123 -> B:25 SPA_SPA   0.0
12:00:45 A:32123 -> B:25  PA_PA    44.35
12:03:00 Q:123   -> Z:123  CON     134.1
12:05:00 A:32123 -> B:25   A_A     119.95

Instead, we cold have:
           sport      dport state   rpause  fpause
12:00:00 A:32123 -> B:25 SPA_SPA   0.0     0.00
12:00:45 A:32123 -> B:25  PA_PA    44.35   44.35
12:03:00 Q:123   -> Z:123  CON     134.1   0.00
12:05:00 A:32123 -> B:25   A_A     119.95  254.1


(perhaps 'rpause' should be called 'dpause' as in "displayed pause", but 
'd' usually indicate "dst", so I go for 'r' as in Record or Row)



What do you say?



(
If the flow records store stime and ltime for *each direction*, we 
could measure the pauses in the client data stream and pauses in the 
server responses.
...but I don't think the records store a src-stime, src-ltime, dst-stime 
and dst-ltime.
)

/Elof

More information about the argus mailing list