Argus: ip proto usage

Carter Bullard carter at qosient.com
Sun Aug 17 20:08:19 EDT 2003


Hey Geoff,
   There could easily be a bug, so we'll have to dig just a
bit, but first, what does '1.2.3.4/56' mean?  That is not
a real CIDR address, so I'm not sure what it will do, but
I'll check later tonight.  Have you tried this with a correct
CIDR address to see if it changes things?

   The mask bit length should be less than 32.

Carter



> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> Geoff Powell
> Sent: Saturday, August 16, 2003 9:52 AM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Argus: ip proto usage
>
>
> Hi all
>
> I've been using Argus server and the ra utilities for a few months, I
> have found the application to be reasonably stable and useful, it's
> pretty good so thanks to the authors and maintainers.
>
> I have a few questions, hopefully someone has the answers
>
> I use racount to grasp traffic usage on different IP protocols and
> ports. For example, to find the usage for tcp port 80 for
> host 1.2.3.4 I
> might use the following two commands
>
> racount -n -r datafile.out - tcp and src net 1.2.3.4/56 and port 80
> racount -n -r datafile.out - tcp and dst net 1.2.3.4/56 and port 80
>
>
> However, when I use the same method to get usage for IPSec (udp port
> 500, also utilizes ip protocols 50 and 51), using the
> following commands
>
> racount -n -r datafile.out - ip proto 50 and not tcp and not
> udp and not
> icmp and src net 1.2.3.4/56
> racount -n -r datafile.out - ip proto 50 and not tcp and not
> udp and not
> icmp and dst net 1.2.3.4/56
> racount -n -r datafile.out - ip proto 51 and not tcp and not
> udp and not
> icmp and src net 1.2.3.4/56
> racount -n -r datafile.out - ip proto 51 and not tcp and not
> udp and not
> icmp and dst net 1.2.3.4/56
> racount -n -r datafile.out - udp and port 500 and dst 1.2.3.4/56
> racount -n -r datafile.out - udp and port 500 and src net 1.2.3.4/56
>
> I have noticed that the above filters yield incorrect
> results. The first
> command, if piped to a file using ra instead of racount shows any IP
> transaction that is not tcp, udp or icmp. So, in my file for that one
> command I see 47, 50 and 51. Hence, when using racount and the same
> filter incorrect byte counts are returned.
>
> Moreover, the following two commands produce the same output, which is
> incorrect.
>
> (I have RA_PRINT_SUMMARY=no)
>
> # racount -r data.out - ip proto 2987212 and not tcp and not
> udp and not
> icmp
> racount    records       total_pkts         src_pkts         dst_pkts
> total_bytes        src_bytes        dst_bytes
>     sum        808           101170            50616            50554
> 21254862          7194035         14060827
>
> # racount -r data.out - ip proto 1 and not tcp and not udp
> and not icmp
> racount    records       total_pkts         src_pkts         dst_pkts
> total_bytes        src_bytes        dst_bytes
>     sum        808           101170            50616            50554
> 21254862          7194035         14060827
>
> The ra documentation reads as follows:
>
> ip proto protocol
> True if the Argus record is an ip transaction (see ip(4P)) of protocol
> type protocol.  Protocol can be a number or any of the string values
> found in /etc/protocols
>
> "2987212" is certainly not in my /etc/protocols :-)
>
> Am I doing something wrong, or is this a bug in the application?
>
> # rpm -q argus
> argus-2.0-4
>
> Linux 2.4.19, Red Hat Linux release 7.3 (Valhalla)
>
> Any help much appreciated, I hope what I'm saying makes sense.
>
> Thanks in advance
>
> Regards,
> Geoff (geoff at lanrex.net.au)
>
>
>






More information about the argus mailing list