ranonymize questions

Peter Van Epp vanepp at sfu.ca
Mon Jul 14 22:54:20 EDT 2003 

	Someone is interested in some of my argus historical data and thus 
I'm poking at ranonymize (from argus-clients-2.0.6.beta.40). I have set
the following ranonymize.conf file:      

ranonymize.conf

RANON_TRANSREFNUM_OFFSET=none
RANON_SEQNUM_OFFSET=none
RANON_TIME_SEC_OFFSET=none
RANON_TIME_USEC_OFFSET=none
RANON_PRESERVE_WELLKNOWN_PORT_NUMS=yes
RANON_PRESERVE_REGISTERED_PORT_NUMS=yes
RANON_PRESERVE_PRIVATE_PORT_NUMS=yes
RANON_PRESERVE_NET_ADDRESS_HIERARCHY=cidr

	And executed:

ranonymize -F ./ranonymize.conf -r argus.out -w aargus.out

	I think this should give me anonymous IP addresses with nothing else
modified (because all else should be disabled) but it doesn't seem to be.

ra -r argus.out -n -n -- ip

14 Jul 03 19:07:56           udp    142.58.1.225.138    ->    142.58.1.255.138
 1        0         243          0           INT
14 Jul 03 19:07:14           udp    142.58.1.175.63390  -> 239.255.255.253.427
 4        0         364          0           CON
14 Jul 03 19:08:03           udp     142.58.1.55.538    ->    142.58.1.255.538
 1        0         306          0           INT
14 Jul 03 19:07:20           tcp 209.121.208.209.530    ->     142.58.1.10.22
 18       16        1326         2724        CON
14 Jul 03 19:07:23           rtp     142.58.1.10.1688  <->    142.58.103.1.53
 1        1         88           212         CON

ra -r aargus.out -n -n -- ip

11 Sep 93 15:02:20           udp       100.0.1.3.138    ->     100.0.1.255.138
 1        0         243          0           INT
11 Sep 93 15:01:38           udp       100.0.1.4.52670  ->       224.0.2.1.427
 4        0         364          0           CON
11 Sep 93 15:02:27           udp       100.0.1.5.538    ->     100.0.1.255.538
 1        0         306          0           INT
11 Sep 93 15:01:44           tcp       197.0.1.1.530    ->       100.0.1.6.22
 18       16        1326         2724        CON
11 Sep 93 15:01:47           rtp       100.0.1.6.56504 <->       100.0.2.1.53
 1        1         88           212         CON

	Now, time has been modified (the first 4 "none" in the conf file 
should stop this I think). Port ".63390" in the second line has become
".52670".  One of the preserve port statements in the conf file should have
fixed this I think (unimportant except for P2P programs with specific non 
registered ports ...)
	So am I missing something obvious or is there a bug or bugs here?

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list