argus-clients-3.0.0.rc.20
Carter Bullard
carter at qosient.com
Tue Aug 1 02:35:22 EDT 2006
Hey Peter,
The parser->ArgusConvBuffer is used to build a TLV structure, and
ArgusGenerateRecordStruct
parses the TLV and generates the argus record. The ArgusConvBuffer
can have any amount of
garbage in it, and not cause a problem, as long as the TLV is being
generated properly.
By zeroing out the appropriate values in the
ArgusGenerateRecordStruct routine buffer,
all the values should be initialized to zero, each time.
So this is the output that my ra() generates for the two files you
attached on a big endian machine.
../bin/ra -r ~/Desktop/badtcp.argus -s +sipid +dipid -n
StartTime Flgs Proto SrcAddr
Sport Dir DstAddr Dport SrcPkts DstPkts
SrcBytes DstBytes State sIpId dIpId
06/06/27 14:20:28.835259 v tcp
142.58.64.150.4074 ?> 216.239.57.104.80 24
0 5227 0 FIN 0xa4ef
06/06/27 14:21:15.514446 v tcp
216.239.57.104.80 ?> 142.58.64.150.4074 13
0 6178 0 FIN 0x7972
../bin/ra -r ~/Desktop/badtcp2.argus -s +sipid +dipid -n
StartTime Flgs Proto SrcAddr
Sport Dir DstAddr Dport SrcPkts DstPkts
SrcBytes DstBytes State sIpId dIpId
06/06/27 14:20:28.834986 v udp 142.58.250.27.2049
<-> 142.58.249.237.800 20760 19989 4521068
3178714 CON 0x0000
06/06/27 14:20:28.835259 v tcp
142.58.64.150.4074 ?> 216.239.57.104.80 24
0 5227 0 FIN 0xa4ef
06/06/27 14:20:30.103319 v udp 142.58.249.237.800
<-> 142.58.250.27.2049 19976 20746 3176652
4518840 CON 0xb9c4
06/06/27 14:21:15.514446 v tcp
216.239.57.104.80 ?> 142.58.64.150.4074 13
0 6178 0 FIN 0x7972
And here are the to files on a little endian machine:
../bin/ra -r /tmp/badtcp.argus -s +sipid +dipid -n
StartTime Flgs Proto SrcAddr
Sport Dir DstAddr Dport SrcPkts DstPkts
SrcBytes DstBytes State sIpId dIpId
06/06/27 14:20:28.835259 v tcp
142.58.64.150.4074 ?> 216.239.57.104.80 24
0 5227 0 FIN 0xa4ef
06/06/27 14:21:15.514446 v tcp
216.239.57.104.80 ?> 142.58.64.150.4074 13
0 6178 0 FIN 0x7972
../bin/ra -r /tmp/badtcp2.argus -s +sipid +dipid -n
StartTime Flgs Proto SrcAddr
Sport Dir DstAddr Dport SrcPkts DstPkts
SrcBytes DstBytes State sIpId dIpId
06/06/27 14:20:28.834986 v udp 142.58.250.27.2049
<-> 142.58.249.237.800 20760 19989 4521068
3178714 CON 0x0000
06/06/27 14:20:28.835259 v tcp
142.58.64.150.4074 ?> 216.239.57.104.80 24
0 5227 0 FIN 0xa4ef
06/06/27 14:20:30.103319 v udp 142.58.249.237.800
<-> 142.58.250.27.2049 19976 20746 3176652
4518840 CON 0xb9c4
06/06/27 14:21:15.514446 v tcp
216.239.57.104.80 ?> 142.58.64.150.4074 13
0 6178 0 FIN 0x7972
one thing puzzles me. why are your flows unidirectional? shouldn't
these be tallied
as bidirectional flows?
Do you see a problem with the new ra output above (at least for ipid?).
Carter
On Jul 31, 2006, at 8:28 PM, Peter Van Epp wrote:
> On Mon, Jul 31, 2006 at 07:16:49PM -0400, Carter Bullard wrote:
>> Hey Peter,
>> OK, some of these suggested patches are not really applicable, so
>> pardon
>> if I did not apply them all. The ArgusConvertRecord bzero() does not
>> seem
>> appropriate, and its expensive, so I didn't do that, but I did put in
>> a bzero()
>> in ArgusGenerateRecordStruct(), which seems be more directed at
>> your hunch that there may be data values lingering from record to
>> record.
>>
>> I fixed the little endian problems with ip_id and printing out the
>> values
>> after 2.x -> 3.0 conversion.
>>
>> These changes should be up late tonight.
>>
>> Carter
>>
>
> OK, but the lack of a clear does seem to be the problem there:
>
> (gdb) l ArgusConvertRecord
> 12904 unsigned char *ArgusConvertRecord (struct ArgusInput *,
> char *);
> 12905
> 12906
> 12907 unsigned char *
> 12908 ArgusConvertRecord (struct ArgusInput *input, char *ptr)
> 12909 {
> 12910 if (input->ArgusConvBuffer == NULL)
> 12911 if ((input->ArgusConvBuffer = (u_char *)ArgusCalloc
> (1, MAXARGUSRECORD)) == NULL)
> 12912 ArgusLog (LOG_ERR, "ArgusCalloc error %s", strerror
> (errno));
> 12913
> (gdb) b 12910
> Breakpoint 1 at 0x8077bee: file ./argus_util.c, line 12910.
> (gdb) r -Fra3.conf.full -rbadtcp2.argus
> Starting program: /usr/local/bin/ra3 -Fra3.conf.full -rbadtcp2.argus
> warning: Unable to get location for thread creation breakpoint:
> generic error
> [New LWP 100085]
> [New Thread 0x81c7000 (LWP 100085)]
> [Switching to Thread 0x81c7000 (LWP 100085)]
>
> (the first time it calls calloc and all is well)
>
> Breakpoint 1, ArgusConvertRecord (input=0x8212000, ptr=0xbfbfeb30
> "\200\001")
> at ./argus_util.c:12910
> 12910 if (input->ArgusConvBuffer == NULL)
> (gdb) s
> 12911 if ((input->ArgusConvBuffer = (u_char *)ArgusCalloc
> (1, MAXARGUSRECORD)) == NULL)
> (gdb)
>
> (the second time its still happy because the first was a man record)
>
> (gdb) c
> Continuing.
>
> Breakpoint 1, ArgusConvertRecord (input=0x8212000,
> ptr=0x8224000 "\001\004\001 ") at ./argus_util.c:12910
> 12910 if (input->ArgusConvBuffer == NULL)
> (gdb) s
> 12914 switch (input->mode) {
> (gdb) print *input->ArgusConvBuffer
> $4 = 0 '\0'
> (gdb) x/40xb input->ArgusConvBuffer
> 0x8214000: 0x00 0x00 0x00 0x00 0x00 0x00
> 0x00 0x00
> 0x8214008: 0x00 0x00 0x00 0x00 0x00 0x00
> 0x00 0x00
> 0x8214010: 0x00 0x00 0x00 0x00 0x00 0x00
> 0x00 0x00
> 0x8214018: 0x00 0x00 0x00 0x00 0x00 0x00
> 0x00 0x00
> 0x8214020: 0x00 0x00 0x00 0x00 0x
>
> (but by the third time we still have the last record in the buffer
> and
> any values we don't over write will be from the previous record
> such as the
> dest packets count (which this packet doesn't have so we don't re
> write) which
> will cause invalid fields to be printed.)
>
> (gdb) c
> Continuing.
> StartTime,LastTime,Trans,Dur,AvgDur,SrcAddr,DstAddr,Proto,Sport,Dport,
> sTos,dTos,sTtl,dTtl,SrcBytes,DstBytes,SAppBytes,DAppBytes,SrcPkts,DstP
> kts,Src_bps,Dst_bps,Src_pps,Dst_pps,SrcLoss,DstLoss,SrcId,Flgs,SrcMac,
> DstMac,Dir,SrcJitter,DstJitter,State,srcUdata,dstUdata,SrcWin,DstWin,S
> eq,sMpls,dMpls,sVlan,dVlan,sIpId,dIpId
> 1151432428.834986,1151433529.662031,1,1100.827045,1100.827026,142.58.2
> 50.27,142.58.249.237,udp,
> 2049,800,0,0,64,64,4521068,3178714,2499724,2259220,20760,19989,32855.7
> 93,23100.553,18.859,18.158,0,0,229.97.122.203, v ,
> 0:2:b3:d8:98:6e,0:11:88:5:5d:1d,<->,,,CON,s[16]="fx..............",d
> [16]="gx..............",,,14,,,0x8200,0x8200,0x0000,0x0000
>
> Breakpoint 1, ArgusConvertRecord (input=0x8212000,
> ptr=0x8224120 "\001\004\001\204") at ./argus_util.c:12910
> 12910 if (input->ArgusConvBuffer == NULL)
> (gdb) print input->ArgusConvBuffer
> $10 = (unsigned char *) 0x8214000 "\024 U"
> (gdb) x/400xb input->ArgusConvBuffer
> 0x8214000: 0x14 0x20 0x55 0x00 0x01 0x02
> 0x01 0x03
> 0x8214008: 0xcb 0x7a 0x61 0xe5 0x0e 0x00
> 0x00 0x00
> 0x8214010: 0x02 0x01 0x01 0x05 0x1b 0xfa
> 0x3a 0x8e
> 0x8214018: 0xed 0xf9 0x3a 0x8e 0x11 0x00
> 0x01 0x08
> 0x8214020: 0x20 0x03 0x00 0x00 0x03 0x02
> 0x18 0x05
> 0x8214028: 0xec 0x76 0xa1 0x44 0xaa 0xbd
> 0x0c 0x00
> 0x8214030: 0x39 0x7b 0xa1 0x44 0x0f 0x1a
> 0x0a 0x00
> 0x8214038: 0x10 0x04 0x04 0x0d 0x18 0x51
> 0x00 0x00
> 0x8214040: 0x00 0x00 0x00 0x00 0x6c 0xfc
> 0x44 0x00
> 0x8214048: 0x00 0x00 0x00 0x00 0x8c 0x24
> 0x26 0x00
> 0x8214050: 0x00 0x00 0x00 0x00 0x15 0x4e
> 0x00 0x00
> 0x8214058: 0x00 0x00 0x00 0x00 0xda 0x80
> 0x30 0x00
> 0x8214060: 0x00 0x00 0x00 0x00 0x14 0x79
> 0x22 0x00
> 0x8214068: 0x00 0x00 0x00 0x00 0x48 0x00
> 0x0f 0x05
> 0x8214070: 0x40 0x00 0x00 0x00 0x00 0x00
> 0x00 0x00
> 0x8214078: 0x40 0x00 0x00 0x00 0x00 0x00
> 0x00 0x00
> 0x8214080: 0x42 0x00 0x00 0x05 0x00 0x11
> 0x88 0x05
> 0x8214088: 0x5d 0x1d 0x00 0x02 0xb3 0xd8
> 0x98 0x6e
> 0x8214090: 0x81 0x00 0x00 0x00 0x40 0x00
> 0x03 0x02
> 0x8214098: 0x00 0x82 0x00 0x82 0x50 0x90
> 0x17 0x00
> 0x82140a0: 0x54 0x00 0x54 0x00 0x66 0x78
> 0xd2 0x9d
> 0x82140a8: 0x00 0x00 0x00 0x01 0x00 0x00
> 0x00 0x00
> 0x82140b0: 0x00 0x00 0x00 0x00 0x00 0x00
> 0x00 0x00
>
> I'll attach the two test files: badtcp.argus has only the one record
> in it and does correctly on either version badtcp2.argus has the
> record before
> it and will print incorrectly on ra3 (compared to badtcp.argus)
> because the
> dest values from the previous record are still there and not removed.
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
> <badtcp.argus>
> <badtcp2.argus>
Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060801/f3beab5f/attachment.html>
More information about the argus
mailing list