Argus: ip proto usage

Geoff Powell geoff at lanrex.net.au
Sat Aug 16 10:52:17 EDT 2003 

Hi all

I’ve been using Argus server and the ra utilities for a few months, I
have found the application to be reasonably stable and useful, it's
pretty good so thanks to the authors and maintainers.

I have a few questions, hopefully someone has the answers

I use racount to grasp traffic usage on different IP protocols and
ports. For example, to find the usage for tcp port 80 for host 1.2.3.4 I
might use the following two commands

racount –n –r datafile.out – tcp and src net 1.2.3.4/56 and port 80
racount –n –r datafile.out – tcp and dst net 1.2.3.4/56 and port 80


However, when I use the same method to get usage for IPSec (udp port
500, also utilizes ip protocols 50 and 51), using the following commands

racount –n –r datafile.out – ip proto 50 and not tcp and not udp and not
icmp and src net 1.2.3.4/56
racount –n –r datafile.out – ip proto 50 and not tcp and not udp and not
icmp and dst net 1.2.3.4/56
racount –n –r datafile.out – ip proto 51 and not tcp and not udp and not
icmp and src net 1.2.3.4/56
racount –n –r datafile.out – ip proto 51 and not tcp and not udp and not
icmp and dst net 1.2.3.4/56
racount –n –r datafile.out – udp and port 500 and dst 1.2.3.4/56
racount –n –r datafile.out – udp and port 500 and src net 1.2.3.4/56

I have noticed that the above filters yield incorrect results. The first
command, if piped to a file using ra instead of racount shows any IP
transaction that is not tcp, udp or icmp. So, in my file for that one
command I see 47, 50 and 51. Hence, when using racount and the same
filter incorrect byte counts are returned. 

Moreover, the following two commands produce the same output, which is
incorrect.

(I have RA_PRINT_SUMMARY=no)

# racount -r data.out - ip proto 2987212 and not tcp and not udp and not
icmp
racount    records       total_pkts         src_pkts         dst_pkts
total_bytes        src_bytes        dst_bytes
    sum        808           101170            50616            50554
21254862          7194035         14060827

# racount -r data.out - ip proto 1 and not tcp and not udp and not icmp
racount    records       total_pkts         src_pkts         dst_pkts
total_bytes        src_bytes        dst_bytes
    sum        808           101170            50616            50554
21254862          7194035         14060827

The ra documentation reads as follows:

ip proto protocol
True if the Argus record is an ip transaction (see ip(4P)) of protocol
type protocol.  Protocol can be a number or any of the string values
found in /etc/protocols

"2987212" is certainly not in my /etc/protocols :-)

Am I doing something wrong, or is this a bug in the application?

# rpm -q argus
argus-2.0-4

Linux 2.4.19, Red Hat Linux release 7.3 (Valhalla)

Any help much appreciated, I hope what I'm saying makes sense.

Thanks in advance

Regards,
Geoff (geoff at lanrex.net.au)

More information about the argus mailing list