Argus duser field stays blank

Karl Tatgenhorst karlt at uchicago.edu
Thu Aug 10 10:59:35 EDT 2006 

Carter,

   As I think more about my test results I am reminded of the old stand
up bit "Hey Doc, it hurts when I do this"... "Well, don't do that"

   In the course of testing Argus one thing we tried was giving the
listener interface an IP Address and then hitting it with a large amount
of ICMP. While the amount of ICMP is realistic to expect on our network,
it would not be like that. Argus tried to seperate each ICMP packet and
reply as a flow and adjust counters accordingly (we went into the
millions of packets) and CPU spiked wildly followed by a core dump. I
think it could be handled on your end with a "Don't do this" note :-)

   The other issue though, duser data is perplexing me and I will be
looking at it today.

Thanks,

Karl

On Wed, 2006-08-09 at 22:48 +0000, carter at qosient.com wrote:
> Hey Karl,
> We need to fix this problem, so if you have file that has a problem, and you don't mind sharing, I can use it to debug.  If not I can walk you through a session with gdb, to find out where it is dying.
> 
> Hmmm, the '-d 128' is obselete, you should use '+suser:128'.
> 
> If you are not seeing duser data, are you sure you are observing return traffic?  Are there dbyte counts?
> 
> Carter
> 
> Carter Bullard
> QoSient LLC
> 150 E. 57th Street Suite 12D
> New York, New York 10022
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax  
> 
> -----Original Message-----
> From: Karl Tatgenhorst <karlt at uchicago.edu>
> Date: Wed, 09 Aug 2006 13:12:14 
> To:argus-info at lists.andrew.cmu.edu
> Subject: [ARGUS] Argus duser field stays blank
> 
> 
> 
>    My new argus setup is pretty near production. Doing some initial
> testing I did find a few odd behaviors. The first was that some ICMP
> could trigger a segfault on the argus listener. We have excellent
> coverage with flows and since ICMP rarely is interesting (in the payload
> department) we opted to simply filter ICMP from argus, but I thought you
> might like to know. The biggest thing for RA was that I usually do s
> +user on read argus, I notice it is now split suser and duser, this
> seems useful enough, however, when I do ra -d 128 -ns +duser I show no
> payloads. Since I have 30,000 machines on my... test network I am sure
> that I should see some payloads. Anyone have any ideas? Oh yeah, source
> payloads show when I do + suser.
> 
> Thanks,
> 
> Karl
> 
>

More information about the argus mailing list