argus option review

Peter Van Epp vanepp at sfu.ca
Sun Jan 28 15:59:20 EST 2001 

> 
> Hey Peter,
>    I should make this error message bit more informative,
> like what port is it trying to bind to.  You are correct,
> the acutal enforcement of the option defaults will be in
> "V".
> 
>    Hmmm, I get byte counts for ECHO traffic that are > 0.
> So lets fix this.  How are you running argus?
> 

	./argus_bpf -P0 -w argus.log icmp &

from the 2.0.0U/bin directory. It also seems to do it without the "icmp" (i.e.
capture everything):
	Oops, false alarm. I must have omitted the ./ in front of argus_bpf, 
because the only way I can reproduce it now is to run the 1.8 argus_bpf. When
I run 2.0.0U I indeed get byte counts on ICMP and the probeid is non zero (it
was 0 on the one I was concerned about):

ids# ./argus_bpf -P0 -w argus1.log icmp
argus_bpf[2505]: started

^Cids# ./ra -r argus1.log -c -n
28 Jan 01 12:44:26    man version=2.0     probeid=3848370891
                                        STA
28 Jan 01 12:44:27   icmp  209.38.172.100        ->      142.58.103.2       1
     0         99           0           URP
28 Jan 01 12:44:27   icmp   142.58.47.253        ->     207.192.95.15       1
     0         70           0           SRC
28 Jan 01 12:44:27   icmp      4.24.62.30        ->      142.58.103.2       3
     0         210          0           URH
28 Jan 01 12:44:27   icmp    192.75.245.2       <->       209.87.31.2       1
     1         98           98          ECO
28 Jan 01 12:44:27   icmp    192.75.245.2       <->      142.58.12.68       1
     1         98           98          ECO

	It may be an idea to flag that ra is reading a 1.8 data file on the 
man line to help with screwups like this! To reproduce the "fault" (which isn't
a fault) I had to capture with the 1.8 argus_bpf which of course doesn't have
ICMP byte counts. Thats undoubtably what I did last night (especially since the
probeid was 0 on the one last night as well):

ids# rm argus.log argus1.log
ids# argus_bpf -P0 -w argus.log icmp
^C
25376 packets recv'd by filter
0 packets dropped by kernel
ids# ./ra -r argus.log -c -n
28 Jan 01 12:46:29    man version=2.0     probeid=0
                                        STA
28 Jan 01 12:46:29   icmp   192.75.243.50       <->      142.58.181.4       1
     1         0            0           ECO
28 Jan 01 12:46:29   icmp    192.75.245.2       <->       209.87.31.2       1
     1         0            0           ECO
28 Jan 01 12:46:29   icmp    192.75.245.2       <->      142.58.12.68       1
     1         0            0           ECO
28 Jan 01 12:46:32   icmp   142.58.200.67       <->    207.23.240.162       1
     1         0            0           ECO

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list