ranonymize questions

Carter Bullard carter at qosient.com
Tue Jul 15 09:26:29 EDT 2003 

Hey Peter,
   In terms of the OFFSET directives, 'none' is
interpreted as a 32-bit int and so you're actually
enabling these anonymizations.  Comment out the
line or remove the 'none' and things should do
much better.

Carter



> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Peter Van Epp
> Sent: Monday, July 14, 2003 10:54 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: ranonymize questions
> 
> 
> 	Someone is interested in some of my argus historical 
> data and thus 
> I'm poking at ranonymize (from argus-clients-2.0.6.beta.40). 
> I have set
> the following ranonymize.conf file:      
> 
> ranonymize.conf
> 
> RANON_TRANSREFNUM_OFFSET=none
> RANON_SEQNUM_OFFSET=none
> RANON_TIME_SEC_OFFSET=none
> RANON_TIME_USEC_OFFSET=none
> RANON_PRESERVE_WELLKNOWN_PORT_NUMS=yes
> RANON_PRESERVE_REGISTERED_PORT_NUMS=yes
> RANON_PRESERVE_PRIVATE_PORT_NUMS=yes
> RANON_PRESERVE_NET_ADDRESS_HIERARCHY=cidr
> 
> 	And executed:
> 
> ranonymize -F ./ranonymize.conf -r argus.out -w aargus.out
> 
> 	I think this should give me anonymous IP addresses with 
> nothing else
> modified (because all else should be disabled) but it doesn't 
> seem to be.
> 
> ra -r argus.out -n -n -- ip
> 
> 14 Jul 03 19:07:56           udp    142.58.1.225.138    ->    
> 142.58.1.255.138
>  1        0         243          0           INT
> 14 Jul 03 19:07:14           udp    142.58.1.175.63390  -> 
> 239.255.255.253.427
>  4        0         364          0           CON
> 14 Jul 03 19:08:03           udp     142.58.1.55.538    ->    
> 142.58.1.255.538
>  1        0         306          0           INT
> 14 Jul 03 19:07:20           tcp 209.121.208.209.530    ->    
>  142.58.1.10.22
>  18       16        1326         2724        CON
> 14 Jul 03 19:07:23           rtp     142.58.1.10.1688  <->    
> 142.58.103.1.53
>  1        1         88           212         CON
> 
> ra -r aargus.out -n -n -- ip
> 
> 11 Sep 93 15:02:20           udp       100.0.1.3.138    ->    
>  100.0.1.255.138
>  1        0         243          0           INT
> 11 Sep 93 15:01:38           udp       100.0.1.4.52670  ->    
>    224.0.2.1.427
>  4        0         364          0           CON
> 11 Sep 93 15:02:27           udp       100.0.1.5.538    ->    
>  100.0.1.255.538
>  1        0         306          0           INT
> 11 Sep 93 15:01:44           tcp       197.0.1.1.530    ->    
>    100.0.1.6.22
>  18       16        1326         2724        CON
> 11 Sep 93 15:01:47           rtp       100.0.1.6.56504 <->    
>    100.0.2.1.53
>  1        1         88           212         CON
> 
> 	Now, time has been modified (the first 4 "none" in the 
> conf file 
> should stop this I think). Port ".63390" in the second line has become
> ".52670".  One of the preserve port statements in the conf 
> file should have
> fixed this I think (unimportant except for P2P programs with 
> specific non 
> registered ports ...)
> 	So am I missing something obvious or is there a bug or 
> bugs here?
> 
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada
>

More information about the argus mailing list