Two TCP sessions in one flow record
Jonatas Marques via Argus-info
argus-info at lists.andrew.cmu.edu
Fri Jul 15 10:14:04 EDT 2016
Hi,
*Context*: I've been running three httperf processes in parallel on a
'client' machine to generate workload to a HTTP server running on a server
machine. On the server machine I've been running an argus process to record
the flows. Because all httperf processes choose their source ports
sequentially starting from 1024 and the connection frequencies are *high*
(100, 25, 10 connections/s), it may happen that two TCP sessions with the
same 5-tuple (saddr, sport, daddr, dport, proto) occur within a short
period (~20ms).
*My problem*: Argus is generating only one flow record for the two
(complete and successfully closed) TCP sessions.
*How do I know*: I did a test using wireshark (packet-level monitoring),
which maintains the two TCP sessions separated. While for the same test
argus generates only one record for both. Test result excerpt:
* Wireshark output obtained from *Statistics/Conversations/TCP
saddr sport daddr dport packets bytes
A 1024 B 8000 11 2024
A 1024 B 8000 59 108054
...
* RA output for *ra -n -r my_audit_file.log
saddr sport daddr dport packets bytes
A 1024 B 8000 70 110078
...
The sum of packets and bytes from the wireshark flows is equal to the
number of packets and bytes in the (one) argus record.
*My question*: Is this behavior expected? Is there a way to configure the
argus server so that this does not happen?
P.S. My test used the ra client to be certain that the cause is the argus
server process, but my actual use case requires racluster. Thus, a possible
solution must also avoid that the records be joined by racluster.
Best regards,
Jonatas Marques
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160715/97f5f476/attachment.html>
More information about the argus
mailing list