ragator

Carter Bullard carter at qosient.com
Fri Nov 10 17:26:40 EST 2000 

Hey William,
   Yes, I can do all that you suggest.  We are doing
the '/' thing in our compiler filter expressions, so
that's why I put the rudimentary idea in the CIDR stuff.
I just did the CIDR thing really sloppy.  Consider it
done.

   Yes, the parent flow confusion is a problem that
has just surfaced, and you are 3 in line for reporting
it.  What is happening is that we are tracking a fragment,
which was not re-assemblable.  We time it out, and go
to update the parent flow with the partial fragment
data, but the parent flow control block has been
free'd.  I put logic to deal with this, but its not
working, so ......

   This is what I'm focusing on fixing tonight and
this weekend.  Not much you can do in the immediate,
unless you can get a packet capture file that causes
argus to barf.  Then a solution would be easy.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 17A
New York, New York  10022

carter at qosient.com
Phone +1 212 813-9426
Fax   +1 212 813-9426



-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of William Setzer
Sent: Friday, November 10, 2000 1:17 PM
To: argus at lists.andrew.cmu.edu
Subject: Re: ragator


"Carter Bullard" <carter at qosient.com> writes:
:
:    Hmmmmm, the CIDR address parsing is broken in this case.
: This will be fixed today, and in the "w" release hopefully
: tonight.

Cool.  If I might make a couple suggestions:

*) In RaParseCIDRAddr(), it looks like it's acceptable to use a '/'
   in a CIDR prefix, but that it isn't taken into account when
   determining the mask.

*) Although a pain to implement, it'd be nice to be able to only
   specify the portion of the IP not covered by the mask, ie,
   152.1/16 or 152.1.10/24.  At least under Solaris it doesn't
   currently work because gethostbyname("152.1") returns an
   address equivalent to "152.0.0.1".


In unrelated news, I'm using 2.0v on Solaris 2.6, and "argus_dlpi"
is dying fairly regularly with the following error:

  argus_dlpi[3347]: 973879284.0.662747 ArgusError: ArgusUpdateFlow()
fragment parent confusion.

Is there anything I can do to help debug this?


William
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20001110/8e3a810d/attachment.html>

More information about the argus mailing list