Statistics of active and idle packets

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Wed Mar 23 22:11:50 EDT 2016 

Hey Daniel,
Argus has a somewhat complex inter packet arrival metric that evolved from measuring jitter for voice over IP.  Its pretty straight forward, but it does need some explanation.

When measuring jitter for VoIP, there are a few codex that support silence suppression.  When silence suppression is “on”, you don’t want to tally interpacket arrive times into your jitter values.  So we created an active interpacket arrival time, and an idle set of times, to measure the jitter when voice was active, and to tally the periods of silence suppression.

Thus we invented the notion of packet dynamics while “ in “ the protocol, and when “ out “ of the protocol.  This worked very well when applied to windowed protocols, like TCP and UDT.  In these protocols, you have the notion that an end system transmits packets " in “ the window, which we call the active period, and there are periods when the protocol is “ out “ of the window, when it is idle, waiting for the window to be acknowledged.  So this is where we get the concepts of active and idle packet dynamics.

As a result, argus has 4 inter packet arrive times, an active and idle interpacket arrival time set of metrics for both src and dst directions of traffic, so there are 4 intpkt means, variances(jitter), max and min values that are tracked.  The general interpacket arrival time is the average of active and idle metrics, which is statistically valid based on how we tally the values.  

Practically, what this means is that unless you are sensitive to these protocol states, you will want to see the sintpkt and dintpkt values, but if you want to know the states of the protocol, the values can show times spent in active and idle states.  For most TCP connections, practically, you actually don’t get any active times, because there is only one packet transmitted in the window, so there aren’t any active interpacket arrivals, since there aren’t 2 packets in the active state.

Hopefully this is more helpful than confusing, … send email if you have any questions !!!!

Carter

> On Mar 23, 2016, at 11:04 AM, Daniel Hunter via Argus-info <argus-info at lists.andrew.cmu.edu <mailto:argus-info at lists.andrew.cmu.edu>> wrote:
> 
> Hello! I want to know more details about some of the argus/ra fields. In particular, I am interested in sintpktact and sintpktidl (along with the similar fields for the destination and jitters). What distinguishes a packet as active or idle? I have found that the active source jitter (sjitact) is rarely filled (http/https and ssh traffic).
> I am also curious about the distribution fields such as sintdist and dintdist. Is there a good example of how to use these fields?
> I am using Argus v3.0.8.1. Thanks much!
> -- Daniel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160323/292230a9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160323/292230a9/attachment.bin>

More information about the argus mailing list