strange records
David Brumley
dbrumley at goju.Stanford.EDU
Wed Apr 21 12:14:02 EDT 1999
On Tue, 20 Apr 1999, Carter Bullard wrote:
> Hmmmmm,
> Very interesting, and we can't blame it on Daylight
> Savings Time ;o) The question would be "is this a TCP
> record"? Argus is doing some not-so-striaght foward
> logic on TCP reporting (times, byte and packet counts) in
> order to have the final record be a cumulative record
> of the entire TCP. If this is a really long lived record
> we may have wrapped around a counter and thats how we
> got a negative value in a byte counter, but the time should
> wrap. We may be tickling something in this code that
> is not quite right.
>
> What I would be interested in is if there are any
> other records that apply to this same flow
> that are well formed.
The one right before it seems okay:
- startime: Wed 04/14 00:43:45
- lasttime: Tue 04/13 19:41:20
- src addr: 171.215.74.136
- dst addr: 171.64.14.237
TCP Structure:
- src port num: 1348
- dst port num: 80
- src byte count: 622
- dst byte count: 1448
- src pkt count: 3
- dst pkt count: 3
..then bad record...
- startime: Wed 04/14 00:44:11
- lasttime: Tue 04/13 19:41:20
- src addr: 171.215.74.136
- dst addr: 171.64.14.237
TCP Structure:
- src port num: 1350
- dst port num: 80
- src byte count: -12
- dst byte count: 0
- src pkt count: 3
- dst pkt count: 1
..then the next record has messed up time stamp...
- startime: Wed 04/14 00:45:30
- lasttime: Tue 04/13 19:41:20
- src addr: 171.215.74.136
- dst addr: 171.64.67.191
TCP Structure:
- src port num: 1363
- dst port num: 80
- src byte count: 2208
- dst byte count: 13165
- src pkt count: 16
- dst pkt count: 12
It looks like all further flows to and from that host have the same
lasttime!
I don't have any good ideas for isolating these types of flows as they
happen. We ended up with a negative byte count 12 times out of around 13
million tcp records, so it's not happening real often.
>
> Carter
>
> PS. Hows the FDDI performance? I have not had the best
> results with Sun FDDI. I've had better results with
> DEC.
>
We drop packets quite a bit, but are still surviving. I'm gonna try
compiling with the latest libpcap and see what that does. As you can
imagine, with 30,000 hosts we have a somewhat busy fddi :)
cheers,
david
> -----Original Message-----
> From: David Brumley [mailto:dbrumley at goju.Stanford.EDU]
> Sent: Tuesday, April 20, 1999 12:50 PM
> To: Carter Bullard
> Cc: argus at lists.andrew.cmu.edu
> Subject: strange records
>
>
> I forgot to mention, the clock is only adjusted at most a few seconds.
>
> On Tue, 20 Apr 1999, David Brumley wrote:
>
> > Hey carter,
> > I've noticed some weird records lately while writing an IDS around argus.
> > I'm running argus on Solaris 2.6 on a FDDI.
> >
> > We run AFS on the machine, so the clock is adjusted every so often. I
> > don't know if this explains the whole skew, though.
> > - startime: Wed 04/14 00:44:11
> > - lasttime: Tue 04/13 19:41:20
>
> #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
> David Brumley - Stanford Computer Security - dbrumley at Stanford.EDU
> Phone: +1-650-723-2911 WWW: http://www.stanford.edu/~dbrumley
> Fax: +1-650-725-9121 PGP: finger dbrumley-pgp at sunset.Stanford.EDU
> #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
>
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security - dbrumley at Stanford.EDU
Phone: +1-650-723-2911 WWW: http://www.stanford.edu/~dbrumley
Fax: +1-650-725-9121 PGP: finger dbrumley-pgp at sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
More information about the argus
mailing list