'normal' filter primitive

Carter Bullard carter at qosient.com
Tue Sep 3 14:10:34 EDT 2002 

Hey Wozz,
   If there is a problem, it could be in either argus()
not marking the records as ARGUS_NORMAL_CLOSED, or in
the ra() compiler, not finding the right bit.  Could you
send me a file with a few of the records that do match
your filter, so I can debug? 

   As a suggestion, you can use racount() to give you an
indication of the number of matched records, etc, rather
than using wc.  Since it provides the same filter support,
etc...., it may be more convenient.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street
Suite 18K
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> wozz+argus at wookie.net
> Sent: Tuesday, September 03, 2002 1:09 PM
> To: Carter Bullard
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: 'normal' filter primitive
> 
> 
> On Tue, Sep 03, 2002 at 08:30:20AM -0400, Carter Bullard wrote:
> > Hey Wozz,
> > Sorry for the late response, but holiday called.  "normal"
> > is basically normal events (SYN, SYN_ACK, data),
> > closing (FIN or FIN_ACK) and no resets.
> 
> 
> This is what I expected, however, it doesn't seem to be 
> working for me.
> 
> Example:
> 
> $ ra -T 15 -S localhost -w /tmp/test
> ra: Trying localhost port 561 Expecting Argus records
> ra: connected
> $             
> $ ra -r /tmp/test - normal | wc -l
>        0
> $ ra -r /tmp/test - \(syn and synack and data and fin and 
> finack\) and not reset | wc -l
>     1406
> $ ra -r /tmp/test | wc -l
>     1644
> $ ra -r /tmp/test - not normal | wc -l
>     1644
> $  
> 
> The argus running on localhost is running as:
> 
> argus -c -P 561 -B 127.0.0.1 -d
> 
> This is all on a Solaris 8 system.  I've noticed no other 
> strangeness (that
> wasn't caused by me at least ;) with argus on this system.
> 
> Am I missing something, or is it not working as expected?
> 
> >     Normal TCP State        TCP Event    Argus TCP State
> >       TCPS_LISTEN                         None
> >       TCPS_SYN_SENT           SYN ->      ARGUS_SAW_SYN
> >       TCPS_SYN_RECEIVED     
> >       TCPS_ESTABLISHED     <- SYN_ACK     ARGUS_SAW_SYN_SENT
> >                            <-  Data  ->   ARGUS_CON_ESTABLISHED
> > 
> >       TCPS_CLOSING            FIN ->      ARGUS_FIN
> >       TCPS_FIN_WAIT_1                     ARGUS_FIN_WAIT_1
> >       TCPS_LAST_ACK        <- FIN_ACK     ARGUS_FIN_ACK
> >       TCPS_FIN_WAIT_2                     ARGUS_FIN_WAIT_2
> >       TCPS_TIME_WAIT
> >       TCPS_CLOSED                         ARGUS_NORMAL_CLOSED
> >       
> > 'normal', means normal close, where argus is generating
> > the status record because the state machine has it closing,
> > (any of the states after seeing a FIN) and there wasn't
> > a reset event.
> > 
> 
> This is a helpful reference I'll keep around.  Thanks!
> 
>

More information about the argus mailing list