Argus: ip proto usage
Geoff Powell
geoff at lanrex.net.au
Wed Aug 20 08:39:55 EDT 2003
Carter,
After a few days of processing I haven't seen anything abnormal on my
racount commands output, I think you have successfully fixed the "ip
proto" filter problem.
I have another question however, is it possible to get a tcpdump style
output from any Argus utilities? If not, is the data Argus stores in
its transaction records enough to produce this type of raw output?
Thanks again
Geoff
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu [mailto:owner-argus-
> info at lists.andrew.cmu.edu] On Behalf Of Carter Bullard
> Sent: Monday, August 18, 2003 10:08 AM
> To: 'Geoff Powell'; argus-info at lists.andrew.cmu.edu
> Subject: RE: Argus: ip proto usage
>
> Hey Geoff,
> There could easily be a bug, so we'll have to dig just a
> bit, but first, what does '1.2.3.4/56' mean? That is not
> a real CIDR address, so I'm not sure what it will do, but
> I'll check later tonight. Have you tried this with a correct
> CIDR address to see if it changes things?
>
> The mask bit length should be less than 32.
>
> Carter
>
>
>
> > -----Original Message-----
> > From: owner-argus-info at lists.andrew.cmu.edu
> > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> > Geoff Powell
> > Sent: Saturday, August 16, 2003 9:52 AM
> > To: argus-info at lists.andrew.cmu.edu
> > Subject: Argus: ip proto usage
> >
> >
> > Hi all
> >
> > I've been using Argus server and the ra utilities for a few months,
I
> > have found the application to be reasonably stable and useful, it's
> > pretty good so thanks to the authors and maintainers.
> >
> > I have a few questions, hopefully someone has the answers
> >
> > I use racount to grasp traffic usage on different IP protocols and
> > ports. For example, to find the usage for tcp port 80 for
> > host 1.2.3.4 I
> > might use the following two commands
> >
> > racount -n -r datafile.out - tcp and src net 1.2.3.4/56 and port 80
> > racount -n -r datafile.out - tcp and dst net 1.2.3.4/56 and port 80
> >
> >
> > However, when I use the same method to get usage for IPSec (udp port
> > 500, also utilizes ip protocols 50 and 51), using the
> > following commands
> >
> > racount -n -r datafile.out - ip proto 50 and not tcp and not
> > udp and not
> > icmp and src net 1.2.3.4/56
> > racount -n -r datafile.out - ip proto 50 and not tcp and not
> > udp and not
> > icmp and dst net 1.2.3.4/56
> > racount -n -r datafile.out - ip proto 51 and not tcp and not
> > udp and not
> > icmp and src net 1.2.3.4/56
> > racount -n -r datafile.out - ip proto 51 and not tcp and not
> > udp and not
> > icmp and dst net 1.2.3.4/56
> > racount -n -r datafile.out - udp and port 500 and dst 1.2.3.4/56
> > racount -n -r datafile.out - udp and port 500 and src net 1.2.3.4/56
> >
> > I have noticed that the above filters yield incorrect
> > results. The first
> > command, if piped to a file using ra instead of racount shows any IP
> > transaction that is not tcp, udp or icmp. So, in my file for that
one
> > command I see 47, 50 and 51. Hence, when using racount and the same
> > filter incorrect byte counts are returned.
> >
> > Moreover, the following two commands produce the same output, which
is
> > incorrect.
> >
> > (I have RA_PRINT_SUMMARY=no)
> >
> > # racount -r data.out - ip proto 2987212 and not tcp and not
> > udp and not
> > icmp
> > racount records total_pkts src_pkts
dst_pkts
> > total_bytes src_bytes dst_bytes
> > sum 808 101170 50616
50554
> > 21254862 7194035 14060827
> >
> > # racount -r data.out - ip proto 1 and not tcp and not udp
> > and not icmp
> > racount records total_pkts src_pkts
dst_pkts
> > total_bytes src_bytes dst_bytes
> > sum 808 101170 50616
50554
> > 21254862 7194035 14060827
> >
> > The ra documentation reads as follows:
> >
> > ip proto protocol
> > True if the Argus record is an ip transaction (see ip(4P)) of
protocol
> > type protocol. Protocol can be a number or any of the string values
> > found in /etc/protocols
> >
> > "2987212" is certainly not in my /etc/protocols :-)
> >
> > Am I doing something wrong, or is this a bug in the application?
> >
> > # rpm -q argus
> > argus-2.0-4
> >
> > Linux 2.4.19, Red Hat Linux release 7.3 (Valhalla)
> >
> > Any help much appreciated, I hope what I'm saying makes sense.
> >
> > Thanks in advance
> >
> > Regards,
> > Geoff (geoff at lanrex.net.au)
> >
> >
> >
>
More information about the argus
mailing list