a curiousity ...
VIEAU Cédric 172196
cedric.vieau at cea.fr
Fri Aug 18 06:36:37 EDT 2006
Hey Peter,
> I was (am) poking at the direction and status codes on
> 2.0.6 to 3.0 conversion because it is about the only non
> working part left. [...]
Well, IMHO maybe this is a good thing that v3 directions are not the same as v2.
Argus-v2 directions are a bit hard to fully understand (at least for me, see attached doc I once tried to write (it's maybe outdated since the lastest patches against 2.0.6)).
Now with v3, directions seem much simplier (so simple that I suspect a bug in ArgusPrintDir for IPv4 TCP flows, as they are not treated the same way as IPv6 flows).
However, here is an attempt to reproduce v2 directions & status on argus v3.rc25
(I only modified directions for IPv4 TCP flows)
------------------------------
--- common/argus_util.c.orig 2006-08-17 15:55:45.000000000 +0200
+++ common/argus_util.c 2006-08-18 12:19:29.000000000 +0200
@@ -3640,7 +3640,24 @@
if (!((tcp->status & ARGUS_SAW_SYN) || (tcp->status & ARGUS_SAW_SYN_SENT))) {
dirStr[1] = '?';
}
- if ((tcp->status & ARGUS_SAW_SYN) || (tcp->status & ARGUS_SAW_SYN_SENT)) {
+ if ((tcp->status & ARGUS_RESET) || (tcp->status & ARGUS_NORMAL_CLOSE)
+ || (tcp->status & (ARGUS_FIN | ARGUS_FIN_ACK)) || (tcp->status & ARGUS_NORMAL_CLOSE)) {
+ dirStr[0] = ' ';
+ dirStr[2] = '>';
+ } else
+ if (tcp->status & ARGUS_TIMEOUT) {
+ dirStr[0] = '<';
+ dirStr[2] = '>';
+ } else
+ if (tcp->status & ARGUS_CON_ESTABLISHED) {
+ dirStr[0] = ' ';
+ dirStr[2] = '>';
+ } else
+ if (tcp->status & ARGUS_SAW_SYN_SENT) {
+ dirStr[0] = '<';
+ dirStr[2] = ' ';
+ } else
+ if (tcp->status & ARGUS_SAW_SYN) {
dirStr[0] = ' ';
dirStr[2] = '>';
}
@@ -10489,12 +10506,18 @@
}
} else {
+ struct ArgusMetricStruct *metric = (struct ArgusMetricStruct *)argus->dsrs[ARGUS_METRIC_INDEX];
+
if (status & ARGUS_RESET) sprintf (ArgusStatusBuf, "RST"); else
+ if (status & ARGUS_NORMAL_CLOSE) sprintf (ArgusStatusBuf, "CLO"); else
if (status & ARGUS_FIN) sprintf (ArgusStatusBuf, "FIN"); else
if (status & ARGUS_FIN_ACK) sprintf (ArgusStatusBuf, "FIN"); else
- if (status & ARGUS_NORMAL_CLOSE) sprintf (ArgusStatusBuf, "CLO"); else
if (argus->hdr.cause & ARGUS_TIMEOUT) sprintf (ArgusStatusBuf, "TIM"); else
- if (status & ARGUS_CON_ESTABLISHED) sprintf (ArgusStatusBuf, "CON"); else
+ if (status & ARGUS_CON_ESTABLISHED) {
+ if (metric && (metric->src.bytes == 0) && (metric->src.bytes == 0))
+ sprintf (ArgusStatusBuf, "STA"); else
+ sprintf (ArgusStatusBuf, "CON");
+ } else
if (status & ARGUS_SAW_SYN_SENT) sprintf (ArgusStatusBuf, "ACC"); else
if (status & ARGUS_SAW_SYN) sprintf (ArgusStatusBuf, "REQ");
}
---------------
I hope this can be useful in some way
Cedric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: argus_dir_status.pdf
Type: application/octet-stream
Size: 20368 bytes
Desc: argus_dir_status.pdf
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060818/1546fcb9/attachment.obj>
More information about the argus
mailing list