Argus Flow reversal with ECRs ??

Carter Bullard cbullard at nortelnetworks.com
Thu Feb 17 09:37:06 EST 2000 

Hey Russell (Guys),
   Ra is trying to be clever, as it wants to
correct any poor assumptions that argus() may
have made.  Argus() when it sees only ECRs will
report correctly the source and destination
for the half-pipe flow.  Ra(), however, can and
does apply a little more logic, trying to correct
Argus records when it can.  This is one of those
cases where Ra() is being too clever.

   The idea was/is that since Echo is a strick
Request/Response protocol, we should be able to
infer the correct Src/Dst relationship based on
this protocol.  Argus does not care, it simply
tracks based on the first packet seen in a flow.
Ra() wants to correct the condition where the
first packet seen was an Echo Reply.  Thats why
the arrows are drawn in the wrong direction.

   A fix is to comment out line 675 from
common/argus_parse.c.  This will remove the
direction reversal that ra() is doing.  A better
fix is to test whether there are pkt counts in
both directions, and reverse the direction then.
This would be condition where Argus didn't see
the first Echo Request and started tracking a
ping flow based on the first packet being an Echo
Reply.

   What do you guys think you want to do?

Carter

> -----Original Message-----
> From: Russell Fulton [mailto:r.fulton at auckland.ac.nz]
> Sent: Wednesday, February 16, 2000 9:52 PM
> To: Argus (E-mail)
> Subject: Re: RE: Argus Flow reversal with ECRs ??
> 
> 
> 
> On Tue, 15 Feb 2000 06:05:24 -0800 Carter Bullard 
> <cbullard at nortelnetworks.com> wrote:
> 
> > 
> > Hey Russell,
> >    Yes I think that there was/is a possiblity for ra()
> > to mess up on this one, but I'm pretty confident that
> > the 1.8 code addresses this problem.
> > 
> 
> OK, I have got the latest code from ftp.andrew.cum.edu and 
> compiled it 
> with only a little bother (see below) and run the test and yes it all 
> looks great!
> 
> Source address is shown as the remote machine but the arrow and the 
> counts show the packets going in the right direction.  I tried fullra 
> to check Neil's finding but it dumped core.
> 
> The system is a debian Linux box and I had to add a #include 
> <ioctls.h>
> to get it to compile.
> 
> Cheers, Russell.
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20000217/7e309c3a/attachment.html>

More information about the argus mailing list