[ARGUS] Problems with rasort, ragator
Ryan Moon
rmoon at gocougs.wsu.edu
Thu Aug 26 18:11:58 EDT 2004
Hi Carter,
I tried the patch but it still didn't work. The cast to an int at the end
was wrapping around and returning positive when it should have been
negative. I added some code to work around it (I don't write much C so
this may not be optimal). This replaces that patch you sent me, and is for
2.0.6.
# diff common/argus_client.c.orig common/argus_client.c
3852,3854c3852,3861
< cnt1 = a1->argus_far.src.appbytes + a1->argus_far.dst.appbytes;
< cnt2 = a2->argus_far.src.appbytes + a2->argus_far.dst.appbytes;
< retn = (int) (cnt1 - cnt2);
---
> cnt1 = (long long) a1->argus_far.src.appbytes;
> cnt1 += (long long) a1->argus_far.dst.appbytes;
> cnt2 = (long long) a2->argus_far.src.appbytes;
> cnt2 += (long long) a2->argus_far.dst.appbytes;
> } else {
> cnt1 = (long long) a1->argus_far.src.bytes;
> cnt1 += (long long) a1->argus_far.dst.bytes;
> cnt2 = (long long) a2->argus_far.src.bytes;
> cnt2 += (long long) a2->argus_far.dst.bytes;
> }
3855a3863,3866
> if (cnt1 < cnt2) {
> retn = -1;
> } else if (cnt1 > cnt2) {
> retn = 1;
3857,3859c3868
< cnt1 = a1->argus_far.src.bytes + a1->argus_far.dst.bytes;
< cnt2 = a2->argus_far.src.bytes + a2->argus_far.dst.bytes;
< retn = (int) (cnt1 - cnt2);
---
> retn = 0;
I tested it with source data that broke it before, also with the "-A"
switch, and with a filter that would cause multiple tcp records to be
printed, due to values > 2^32. All seem to sort OK.
I think the sbytes and dbytes sorts may be broken, but I didn't look at
those yet.
Regarding the 32 bit counters, what do you suggest to work around this? Or
is this something where the field width will be increased in the future?
It seems like racount deals OK with the ~ 15 GB of data I am seeing in a
24 hour period, but that any programs which use the ArgusRecord struct are
going to be limited to 32 bits. Do people generally report hourly instead
of daily?
Thanks a bunch for your help :-)
-Ryan
On Wed, 25 Aug 2004, Carter Bullard wrote:
|
|
|
| > From: Carter Bullard <carter at newyork.qosient.com>
| > Date: Wed, 25 Aug 2004 09:19:37 -0400
| > To: Ryan Moon <rmoon at gocougs.wsu.edu>, <argus-info at lists.andrew.cmu.edu>
| > Subject: RE: [ARGUS] Problems with rasort, ragator
| >
| > Hey Ryan,
| > Seems that we've got a bug in the sort comparison
| > routine. We add the source and destination byte counts
| > to do the "bytes" comparison, but this number seems to be
| > negative in your case. We actually do a (long long)
| > comparison in the sort routine, but I suspect that the
| > conversion to (long long) is happening after its been
| > calculated to be negative. Try the patch below to see
| > if it doesn't solve your problem.
| >
| > You're getting two tcp records because the dst byte count
| > is rolling over the 32-bit counters that argus uses.
| >
| > Hope this helps,
| >
| > Carter
| >
| > Index: argus_client.c
| > ===================================================================
| > RCS file: /usr/local/cvsroot/argus-clients/common/argus_client.c,v
| > retrieving revision 1.17
| > diff -r1.17 argus_client.c
| > 3861,3862c3861,3864
| > < cnt1 = a1->argus_far.src.bytes + a1->argus_far.dst.bytes;
| > < cnt2 = a2->argus_far.src.bytes + a2->argus_far.dst.bytes;
| > ---
| >> cnt1 = (long long) a1->argus_far.src.bytes;
| >> cnt1 += (long long) a1->argus_far.dst.bytes;
| >> cnt2 = (long long) a2->argus_far.src.bytes;
| >> cnt2 += (long long) a2->argus_far.dst.bytes;
| >
| >
| >
| > -----Original Message-----
| > From: owner-argus-info at lists.andrew.cmu.edu
| > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Ryan Moon
| > Sent: Tuesday, August 24, 2004 6:46 PM
| > To: argus-info at lists.andrew.cmu.edu
| > Subject: [ARGUS] Problems with rasort, ragator
| >
| > I'm having some difficulties with the rasort command not sorting
| > properly
| > by the byte count:
| >
| > ragator -r <aggregated data file> -f /etc/argus/proto.conf -w - - \
| > src net xx.xx.xx | rasort -M bytes -s proto pkts bytes - \
| > not arp and not man
| >
| > esp 115703 0 65010378 0
| > udp 140586 126802 11853658 21945965
| > scps 3700 3700 177600 177600
| > icmp 325 0 62962 0
| > rtcp 90 93 7596 16627
| > tcp 2499906 3123492 627650335 2855939870
| >
| > Why is tcp listed last even though it's byte counts are much larger? If
| > I
| > substitute "sbytes" for "bytes", it appears to sort correctly:
| >
| > tcp 2499906 3123492 627650335 2855939870
| > esp 115703 0 65010378 0
| > udp 140586 126802 11853658 21945965
| > scps 3700 3700 177600 177600
| > icmp 325 0 62962 0
| > rtcp 90 93 7596 16627
| >
| > Here is the contents of my proto.conf ragator configuration file:
| >
| > # ------------
| > #label id ip src dst proto sport dport model dur idle
| > Flow 100 ip * * * * * 200 0 0
| >
| > #label id ip SAddrMask DAddrMask Proto SPort DPort
| > Model 200 ip 0.0.0.0 0.0.0.0 yes no no
| > # ------------
| >
| > Also I've been having some problems with the tcp protocol being listed
| > twice in ragator output. This is using the same ragator config.
| >
| > ragator -n -r <aggregated data file> -f /etc/argus/proto.conf - \
| > dst net xx.xx.xx and not arp and not man
| >
| > 23 Aug 04 23:44:31 *S tcp 0.0.0.0.65535 ->
| > 0.0.0.0.65535 4201885 4706726 570634174 4225035431 RST
| > 23 Aug 04 23:44:35 *S tcp 0.0.0.0.65535 ->
| > 0.0.0.0.65535 1938681 2438066 250408967 1900526877 RST
| > [...other protocols trimmed]
| >
| > Before I fixed it by properly terminating the ragator args with "-"
| > before
| > the filter expression. Now the problem has recurred and I am confused by
| > tcp is printed twice. I'm not sure which counts to trust, and it appears
| > that the sum of both might be more than the actual traffic.
| >
| > I look forward to any assistance with these problems.
| >
| > Ryan Moon
| >
| >
| >
| >
|
|
|
Ryan Moon
rmoon at gocougs.wsu.edu
More information about the argus
mailing list