Question about loss and retransmission reporting

Balas, Edward G ebalas at iu.edu
Fri Dec 7 12:28:21 EST 2018 

Hey all,

Ive run into an issue Im struggling to understand, and thus far googling has failed to right me.  I am trying to use Argus to track retransmissions / loss in flows and I am getting values that are inconsistent with other tools including the sending application.  As I recurse into the various rabbit holes contributing to this on our end, I was wondering if someone could guide me on the following:

1.  within ra etc there is the ability to report loss and retrans.  When I look at the documentation loss seems to imply it contains both retransmissions and dropped packets, if Im looking at a TCP flow, is it correct to assume there will be no drops and thus loss is synonymous with retransmission?

2.  I am able to get ra and racluster to report loss values for my flows, however retrans is always 0, is there a special -M or other options or argus option I need to use to see retrans?  Im making the possibly bad assumption that because I can see loss values the tunings of argus are sufficient.

3.  The Loss numbers are always higher than what I am seeing with other applications, is there a document or place in the code I should go look at that describes how this is calculated?

Motivating these questions is the following small test:
-------------------------------------------------------
I transfered a file to my test host while doing full snaplen packet capture, and then compared argus with tshark reports of loss and retransmission.

accuracy-test2]#  argus -JA -r raw.pcap  -w raw.argus

accuracy-test2]#  racluster -n -r raw.argus  -s stime,dur,pkts,retrans,loss,appbytes,cause -- port 51170
         StartTime        Dur  TotPkts Retrans       Loss TotAppByte   Cause
   16:47:58.176366  15.206044    21513       0         24   20195392   Start




>> Total packets between tshark and argus agree:

accuracy-test2]#  tshark -r raw.pcap -nn -Y 'tcp.port==51170 '  | wc -l
21513

>> Retransmissions / loss do not agree between tshark and argus:

accuracy-test2]#  tshark -r raw.pcap -nn -Y 'tcp.port==51170 and tcp.analysis.retransmission '  | wc -l
17

17 vs 24


Was curious if folks had insights they could share in these regards?

Thanks,
Edward Balas
ebalas at iu.edu<mailto:ebalas at globalnoc.iu.edu>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20181207/db0b250a/attachment.html>

More information about the argus mailing list