RE: argus records
Carter Bullard <carter <at> qosient.com>
2002-04-08 14:51:40 GMT
The answers to what all the fields mean are scattered
around, and there is a word document that describes them,
but its out of date. I was hoping that they were all
self explanatory ;o) Let me answer your specific questions,
and then I'm headed for breakfast.
If we do this enough, we'll get all the field described,
so please keep those questions coming!
The bytes fields that are in the <Metrics> tag are all
derived from the length of the packet received on the wire.
The bytes fields that are in the <Extended TCP Metrics> tag
are all derived from the TCP headers, so there can be some
discrepancies, although they should be minor.
The AppBytes fields contain the number of bytes above the
transport layer for this flow, so its basically
(totalbytes - (MACHdr + IP_Hdr + TransHdr)).
The TcpByte field is the number of bytes declared in the
TCP header minus the TCP header length (TCPLen - TCPHdrLen).
The TcpAckBytes are the actual number of bytes acknowledged
by the receiver, so they are successful transported bytes.
AppBytes should always be equal to than TcpBytes (+-1), if all
the packets are seen by the Argus, and both should be greater than
TCPAckBytes, at least in theory, but there are situations where
these rules don't apply. This is because the TCPByte and AppByte