argus-clients-3.0.0.rc.21

Carter Bullard carter at qosient.com
Wed Aug 2 10:57:38 EDT 2006 

OK, fragment reporting should be working for the fragments flag,
still need to work on FRAG_ONLY records.

I changed the entire approach to esp and so it doesn't have a
sport value anymore (uni-directional flow, only one sap, the spi
field).   I print the spi, which is a 32-bit value, in the dport field,
so it can get big.   I suspect mismatches in flow identifiers for
esp are going to happen.

Igmp support in argus-2.x was/is minimal, and 3.0 is doing a
much better job.  igmp records in 3.0 will not have port numbers.

one of the flows you have is an rtp flow in 2.x but udp in 3.0.
These will have loss reporting problems, as rtp loss is in an
rtp specific TLV, and we are not converting properly.
If you can pluck out any 2.x rtp records and send for debugging,
I'll fix that.

Not sure about the djit values being different.  Maybe a rounding
error?  Could you grab that specific record and send?

Carter




On Aug 2, 2006, at 12:04 AM, Peter Van Epp wrote:

> On Tue, Aug 01, 2006 at 11:28:10PM -0400, Carter Bullard wrote:
>> Hey Peter,
>> So I just uploaded new argus and client rc files.
>> Give em a try, should fix a few things.
>> Carter
>>
>
> 	Indeed much closer :-)  The fragmentation flag doesn't look like its
> getting across correctly, esp has problems and igmp looks to still  
> have
> problems but no more tos/ttl etc. problems so far :-).
>
> sport 0
> dport 0
> flgs2 = F
> flgs32 =
>
> line: 63 fields in error: dport,proto,flgs,sport,
> 1151432428.855532,1151433529.671900,1,1100.816368,1100.816368,142.58.2 
> 9.58,142.5
> 8.135.65,ipni, 
> 0,0,255,255,255,255,17531159,3131651,2956740,2631957,29411,12445,1
> 27404.78,22758.75,26.72,11.31,0.0000,0.0000,3848370891,qF, 
> 0:11:88:21:f1:80,0:11:
> 88:5:5d:1d,<->,28888.102963,,CON,s[16]="%...........#\..",d[16] 
> ="%.............]
> .",,,8651,,,0xc087,0x027f,0x0000
> 1151432428.855532,1151433529.671900,1,1100.816368,1100.816406,142.58.2 
> 9.58,142.5
> 8.135.65,ipnip,,, 
> 255,255,255,255,17531159,3131651,2956740,2631957,29411,12445,12
> 7404.781,22758.752,26.717,11.305,0,0,229.97.122.203, v       , 
> 0:11:88:21:f1:80,0
> :11:88:5:5d:1d,<->,28886.744474,,CON,s[16]="%...........#\..",d[16] 
> ="%..........
> ...].",,,8651,,,0xc087,0x027f,0x0000,0x0000
>
> 	esp too (look like bugs in both 2.0.6 and 3.0 so may be underlying
> data)
>
> sport 0
> dport 48106 2079308778
>
> line: 203 fields in error: dport,sport,
> 1151432428.949492,1151433528.697986,1,1099.748494,1099.748494,142.58.2 
> 13.62,208.
> 38.3.62,esp, 
> 0,48106,0,0,64,0,1185980,0,961248,0,5914,0,8627.28,0.00,5.38,0.00,0.
> 0000,0.0000,3848370891,q,0:10:db:73:dd:51,0:11:88:5:5d:1d,->, 
> 759527.000000,,INT,
> s[16]="...@!.....G...K.",,,,9297,,,0x8200,,0x7bef
> 1151432428.949492,1151433528.697986,1,1099.748494,1099.748535,142.58.2 
> 13.62,208.
> 38.3.62,esp,, 
> 2079308778,0,,64,,1185980,0,961248,0,5914,0,8627.281,0.000,5.378,0.
> 000,0,0,229.97.122.203, v       ,0:10:db:73:dd:51,0:11:88:5:5d:1d,- 
> >,759527.0000
> 00,,INT,s[16]="...@!.....G...K.",,,,9297,,,0x8200,,0x7bef,
>
> 	The ports look to be a 2.0.6 bug but ipid may be an endian issue.
>
> sport 22
> dport 0
> state CON INT
> sipid 0xd21b 0x1bd2
>
> line: 361 fields in error: state,dport,sipid,sport,
> 1151432429.126443,1151432860.570563,1,431.444120,431.444120,142.58.60. 
> 61,224.0.0
> .251,igmp, 
> 22,0,0,0,1,0,100,0,16,0,2,0,1.85,0.00,0.00,0.00,0.0000,0.0000,38483708
> 91,q,0:11:24:97:47:52,1:0:5e:0:0:fb,->,,,CON,s[8]="........",,,, 
> 8856,,,0x0280,,0
> xd21b
> 1151432429.126443,1151432860.570563,1,431.444120,431.444122,142.58.60. 
> 61,224.0.0
> .251,igmp,,, 
> 0,,1,,100,0,16,0,2,0,1.854,0.000,0.005,0.000,0,0,229.97.122.203, v
>      ,0:11:24:97:47:52,1:0:5e:0:0:fb,->,,,INT,s[8]="........",,,, 
> 8856,,,0x0280,,
> 0x1bd2,
>
>
>
> %./ra_test.pl rs178.2.argus | more
>
> line: 7 fields in error: dir,
> 1151432428.834980,1151432968.849102,1,540.014122,540.014122,142.58.206 
> .16,142.58
> .202.108,tcp, 
> 524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
> , 
> 1493083,63258140.20,1350202.38,5584.49,2764.90,0.0007,0.0000,384837089 
> 1,qs,0:f:
> 1f:f8:c4:c1,0:11:88:5:5d:1d,?>,1278.000000,3716.553425,CON,s[16] 
> =".Y....&!..:KLJ
> j(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9
> 1151432428.834980,1151432968.849102,1,540.014122,540.014099,142.58.206 
> .16,142.58
> .202.108,tcp, 
> 524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
> , 
> 1493083,63258144.000,1350202.375,5584.489,2764.896,0,0,229.97.122.203, 
>  vs
> ,0:f:1f:f8:c4:c1,0:11:88:5:5d:1d,<?>,1278.000000,3716.47,CON,s[16] 
> =".Y....&!..:K
> LJj(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca, 
> 0xfee9,0xfee9
>
> sloss 139.0000 0
>
> line: 15 fields in error: proto,sloss,
> 1151432428.835508,1151432946.117999,1,517.282491,517.282491,142.58.205 
> .8,24.85.1
> 38.30,rtp, 
> 16386,41238,0,0,64,0,2500442,0,1317184,0,25723,0,38670.43,0.00,49.73,0
> .00,139.0000,0.0000,3848370891,q,0:16:cb:85:6b:be,0:11:88:5:5d:1d,- 
> >,16300.00000
> 0,,INT,s[16]="......w..0......",,,,8551,,,0x0200,,0x82df
> 1151432428.835508,1151432946.117999,1,517.282491,517.282471,142.58.205 
> .8,24.85.1
> 38.30,udp, 
> 16386,41238,0,,64,,2500442,0,1317184,0,25723,0,38670.430,0.000,49.727,
> 0.000,0,0,229.97.122.203, v       ,0:16:cb:85:6b:be,0:11:88:5:5d: 
> 1d,->,16300.000
> 000,,INT,s[16]="......w..0......",,,,8551,,,0x0200,,0x82df,
>
> djit 563401.875345 561892.47
>
> line: 23 fields in error: djit,dir,
> 1151432428.836459,1151433529.824857,1,1100.988398,1100.988398,142.58.1 
> 55.79,142.
> 58.167.63,tcp, 
> 1030,445,0,0,255,255,7324703,34375869,3834611,30963787,60174,58829
> ,53222.74,249781.88,54.65,53.43,0.0299,0.0068,3848370891,q*,0:b:db: 
> 49:f6:39,0:11
> :88:5:5d:1d,?>,31.787992,563401.875345,CON,s[16] 
> ="...;.SMB........",d[16]="...<.
> SMB........",17520,16766,8549,,,0x0200,0x8200,0x93ab
> 1151432428.836459,1151433529.824857,1,1100.988398,1100.988403,142.58.1 
> 55.79,142.
> 58.167.63,tcp, 
> 1030,445,0,0,255,255,7324703,34375869,3834611,30963787,60174,58829
> ,53222.742,249781.875,54.655,53.433,0,0,229.97.122.203, v*      , 
> 0:b:db:49:f6:39
> ,0:11:88:5:5d:1d,<?>,31.541513,561892.47,CON,s[16] 
> ="...;.SMB........",d[16]="...
> <.SMB........",17520,16766,8549,,,0x0200,0x8200,0x93ab,0x93ab
>
> state TIM CON
>
> line: 31 fields in error: state,dir,
> 1151432428.840442,1151433509.016300,1,1080.175858,1080.175858,142.58.2 
> 35.103,142
> .58.103.117,tcp, 
> 1660,445,0,0,128,0,580,0,0,0,10,0,4.30,0.00,0.01,0.00,0.0000,0.0
> 000,3848370891,q,0:14:22:56:d6:dd,0:11:88:5:5d:1d,<?>,,,TIM,,, 
> 0,0,756,,,0x8200,,
> 0xbdef
> 1151432428.840442,1151433509.016300,1,1080.175858,1080.175903,142.58.2 
> 35.103,142
> .58.103.117,tcp, 
> 1660,445,0,,128,,580,0,0,0,10,0,4.296,0.000,0.009,0.000,0,0,229.
> 97.122.203, v       ,0:14:22:56:d6:dd,0:11:88:5:5d:1d,?>,,,CON,,, 
> 0,0,756,,,0x820
> 0,,0xbdef,
>
> sport 34
> dport 0
> state CON INT
>
> line: 42 fields in error: state,dport,sport,
> 1151432428.847329,1151432439.757887,1,10.910558,10.910558,142.58.200.2 
> 52,224.0.0
> .22,igmp, 
> 34,0,192,0,1,0,174,0,48,0,3,0,127.58,0.00,0.27,0.00,0.0000,0.0000,3848 
> 3
> 70891,q,0:e0:81:20:c3:4c,1:0:5e:0:0:16,->,,,CON,s[16] 
> =""...............",,,,8887
> ,,,0x0200,,0x0000
> 1151432428.847329,1151432439.757887,1,10.910558,10.910558,142.58.200.2 
> 52,224.0.0
> .22,igmp,,, 
> 192,,1,,174,0,48,0,3,0,127.583,0.000,0.275,0.000,0,0,229.97.122.203,
> v       ,0:e0:81:20:c3:4c,1:0:5e:0:0:16,->,,,INT,s[16] 
> =""...............",,,,888
> 7,,,0x0200,,0x0000,
>
>
> line: 52 fields in error: dir,
> 1151432428.851530,1151433240.526740,1,811.675210,811.675210,142.58.71. 
> 99,142.58.
> 217.166,tcp, 
> 49152,1935,0,0,255,255,79657946,6850292,71822216,9962,111939,97719,7
> 85121.39,67517.57,137.91,120.39,0.0036,0.0000,3848370891,qs, 
> 0:11:24:a8:11:b2,0:1
> 1:88:5:5d:1d,?>,5055.000000,33915.787004,CON,s[16] 
> ="K.....h.".......",d[16]="...
> ...........%6",65535,34752,8586,,,0x0200,0x8288,0x8b92
> 1151432428.851530,1151433240.526740,1,811.675210,811.675232,142.58.71. 
> 99,142.58.
> 217.166,tcp, 
> 49152,1935,0,0,255,255,79657946,6850292,71822216,9962,111939,97719,7
> 85121.375,67517.562,137.911,120.392,0,0,229.97.122.203, vs      , 
> 0:11:24:a8:11:b
> 2,0:11:88:5:5d:1d,<?>,5055.000000,33915.32,CON,s[16] 
> ="K.....h.".......",d[16]=".
> .............%6",65535,34752,8586,,,0x0200,0x8288,0x8b92,0x8b92
>
> sport 0
> dport 0
> flgs2 = F
> flgs32 =
>
> line: 63 fields in error: dport,proto,flgs,sport,
> 1151432428.855532,1151433529.671900,1,1100.816368,1100.816368,142.58.2 
> 9.58,142.5
> 8.135.65,ipni, 
> 0,0,255,255,255,255,17531159,3131651,2956740,2631957,29411,12445,1
> 27404.78,22758.75,26.72,11.31,0.0000,0.0000,3848370891,qF, 
> 0:11:88:21:f1:80,0:11:
> 88:5:5d:1d,<->,28888.102963,,CON,s[16]="%...........#\..",d[16] 
> ="%.............]
> .",,,8651,,,0xc087,0x027f,0x0000
> 1151432428.855532,1151433529.671900,1,1100.816368,1100.816406,142.58.2 
> 9.58,142.5
> 8.135.65,ipnip,,, 
> 255,255,255,255,17531159,3131651,2956740,2631957,29411,12445,12
> 7404.781,22758.752,26.717,11.305,0,0,229.97.122.203, v       , 
> 0:11:88:21:f1:80,0
> :11:88:5:5d:1d,<->,28886.744474,,CON,s[16]="%...........#\..",d[16] 
> ="%..........
> ...].",,,8651,,,0xc087,0x027f,0x0000,0x0000
>
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>

Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060802/d1a21974/attachment.html>

More information about the argus mailing list