Re: multiple packets from client with decreasing TTL
At 09:02 AM 7/22/2004 -0400, Charles R. Anderson wrote:
> On Thu, Jul 22, 2004 at 08:54:48AM -0400, Charles R. Anderson wrote:
> > I was seening some weird stuff too, like TTL exceeded or fragment
> > reassembly time exceeded on our IDS system. It was coming from one
> > system at UIUC running the beacon. When I tried to look at it
> > closer, it stopped...
>
> Oh, and I noticed when I stopped receiving packets from it, the beacon
> server still reported that my beacon could see its traffic (green "0"
> in the Central Loss cell). This stayed there for what seemed like a
> long time. Is this a bug in the beacon? How long should a beacon
> client remain in the table with a green "0" after it can no longer be
> heard?
Should be at most five minutes.
Typcially, it's only up to a max of two minutes -- One minute max for the
next time your Beacon client reports via TCP, and one minute max for the
Beacon Central Server to update the web page with the new reports.
But in the event that the Central Server stops receiving TCP reports from a
given Beacon client, it'll wait for five minutes before deciding that
Client isn't coming back. I suppose I could make "two-to-five minutes" of
not haering a probationary period and mark the web page accordingly,
couldn't I? ;-)
Mitch
--
Mitch Kutzko | mitch@dast.nlanr.net | mitch@ncsa.uiuc.edu | 217-333-1199
Project: http://dast.nlanr.net/ | Personal: http://hobbes.ncsa.uiuc.edu/