Further (broken) argus-2.0.0 patches

Carter Bullard carter at qosient.com
Sun Sep 3 10:32:04 EDT 2000 

Hey Neil,
   The tests are perfect and not a waste of time in
any way.  They help to give me a priority for
fixing things.

I had completely forgotten the '-e' and '-a'
options so they go in on Tuesday.  An option that
you do want to test is the multiple '-w filename "filter"'
expressions, the filter needs to be quoted for the
thing to work.  There is no testing that the filenames
don't collides, so don't complain if you put two
"-" and you get unexpected results ;o).

The counts will be different, especially since we
are counting all the traffic now.  You may want to
compare using simple filters such as "ip" and "not ip"
to see where the differences might be.

The code is all new, except for some of the state
machine logic, so there are opportunities for lots
of things to be inconsistent.  The only "truth" that
I have to go on is the packet counts, so that seems
to work for me.  The byte counts will be an interesting
test, as there are opportunities for counting the
data part of the packet rather than the whole packet,
so I'll have to go other that with a fine toothed
comb.

The number of flows should be the same, but the number
of records reporting activities on the flows could
be different in some cases.  For counting flows, we'll
need to take the argus output and run ragator(), running
it as if it were ra(), to get the minimum FARs out
of the data.

ragator() replaces raconnections() so you should use
it the same way, although it has a HUGE set of new
features to look into.

Carter



-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Neil Long
Sent: Sunday, September 03, 2000 5:19 AM
To: Peter Van Epp; carter at qosient.com
Cc: argus
Subject: Re: Further (broken) argus-2.0.0 patches


Hello

I am stuck at home on a dial-up pro tem but had a look at v2.0 with Peter's
first patch bundle (will try the second set later).

With Peter's patches it built ok but I had to remove the -lpthread for the
argus server Makefile entry (since the pthreads on my FreeBSD 3.5 laptop is
in one of the default system libs)

I had no success on FreeBSD using the tun0 interface (not surprising) while
on a ppp link but I was able to make some comparisons in output using a
tcpdump data file. There are a couple of problems arising out of this -
first the v2 data file output from ./argus_bpf -r tcpdump -w output.data is
truncated and argus exits with a memory error. However a most of the data is
there.

Running ra or racount and comparing v1.8.1 and v2.0 shows some problems with
the summary of data (the records and packet counts are ok but the byte,
flows, etc are wrong).

I will build a fresh tree again with the new patches for FreeBSD and will
test the comparitive handling of tcpdump data on Solaris tomorrow. I won't
post the error details yet as it may just be that this part of the code is
not really ready for testing, sorry!

Oh and the -a and -e options don't work as advertised (and as in 1.8) and
either are not enabled yet or are related to the data summary problem.

So I am not sure yet whether such tests are a waste of time at this stage of
development however maybe a standard tcpdump trace file could be useful as a
test suite?

Regards
Neil

More information about the argus mailing list