[ARGUS] ra question (on FreeBSD/Sparc64)

Gill, James james.gill at mci.com
Thu Dec 9 13:58:34 EST 2004 

On Mon, 6 Dec 2004, Carter Bullard wrote:

> Hey James,

Hey Carter, thanks for the super-quick response.

>    Well the 64 bit thing will cause problems, since  your
> machine has defined a "struct timeval" using 64-bit values
> rather than 32 bit ones.  This displaces all the data in
> an argus record by 8 bytes, so none of the filters will find
> the right values to compare.

Most of that is way over my head, sorry.  I thought it was the move from a
32-bit time_t to a 64-bit time_t that caused these problems for me earlier in
the year.  Ignorance is the best excuse I've got right now.  I suppose i'm sort
of hard-headed to still be trying this on FreeBSD on Sparc, but it would be
beautiful if it worked.

> Try this patch for the file ./include/compat.h,
> just to see if it gets you anywhere.  It may help,
> but its a long shot>
>
> cvs diff compat.h
> Index: compat.h
> ===================================================================
> RCS file: /usr/local/cvsroot/argus-clients/include/compat.h,v
> retrieving revision 1.8
> diff -r1.8 compat.h
> 46a47,49
> > #define ARGUS64BIT    1
> >
> > #if !defined(ARGUS64BIT)
> 47a51,56
> > #else
> > struct argtimeval {
> >    int tv_sec;
> >    int tv_usec;
> > };
> > #endif
>

Thank you, I'll try this patch and report back.

--gill



>
> Carter
>
>
> > From: "Gill, James" <james.gill at mci.com>
> > Reply-To: <James.Gill at mci.com>
> > Date: Mon, 06 Dec 2004 18:27:39 -0500 (EST)
> > To: argus-info mailing list <argus-info at lists.andrew.cmu.edu>
> > Subject: [ARGUS] ra question (on FreeBSD/Sparc64)
> >
> >
> > So ... here's some data in my argus.out file:
> >
> > [box] /usr/local/argus> ra -nn -r argus.out - | tail -5
> > 23 Oct 04 19:07:00           udp  200.42.108.205.3486   ->   2.4.5.111.1434  1
> > 23 Oct 04 19:07:43  s        tcp     66.77.61.80.2556   ->    2.4.5.14.3001  2
> > 23 Oct 04 19:07:53  s        tcp     66.77.61.80.2556   ->    2.4.5.14.3001  1
> > 23 Oct 04 19:08:08           udp    209.79.46.76.3081   ->   2.4.5.223.1434  1
> >
> > now if i want to look for just stuff to, say, port 3001:
> >
> > [box] /usr/local/argus> ra -nn -r argus.out - port 3001
> >
> > ...what? no data?  I know I have flows with dst port 3001!  Why is this
> > happening?
> >
> > It seems that whatever I do, my "filter expression" causes ra to produce no
> > output.  This works fine on my very similar i386 box, why not on the sparc?
> >
> > I'm running this version, built from FreeBSD ports:
> > [box] /usr/local/argus> argus -v
> > Argus Version 2.0.6.fixes.1
> >
> > Here's an important point of information:
> > [box] /usr/local/argus> uname -a
> > FreeBSD drain.donkeytech.net 5.3-BETA7 FreeBSD 5.3-BETA7 #0: Sat Oct  9
> > 12:41:54
> > UTC 2004     jamgill at drain:/usr/obj/usr/src/sys/GENERIC  sparc64
> >
> > I'm pretty crunched for time until after the new year, but if anyone has
> > suggestions about what might be causing this and what to do to test, I'm all
> > ears.
> >
> >
> > Thanks,
> >
> > --gill
> >
> >
> >         -----------------------------------------------------
> >         MCI/UUNET Network Security & Abuse * 1-800-900-0241,4
> >         -----------------------------------------------------
> >              v-net:  desk = 806-3834 ; group = 806-8805
> >
>
>
>

        -----------------------------------------------------
        MCI/UUNET Network Security & Abuse * 1-800-900-0241,4
        -----------------------------------------------------
             v-net:  desk = 806-3834 ; group = 806-8805

More information about the argus mailing list