a curiousity ...
VIEAU Cédric 172196
cedric.vieau at cea.fr
Fri Aug 18 10:36:59 EDT 2006
Hey,
sorry, I've made some mistakes in my previous patch, here is the (I hope) corrected one. Not perfect, but it gives better results with direction and state of tcp flows.
I had to add the case 'hdr.cause == ARGUS_TIMEOUT' for non-mar records in ArgusConvertRecord.
------------------------
--- common/argus_util.c.orig 2006-08-17 15:55:45.000000000 +0200
+++ common/argus_util.c 2006-08-18 16:24:48.000000000 +0200
@@ -3640,7 +3640,24 @@
if (!((tcp->status & ARGUS_SAW_SYN) || (tcp->status & ARGUS_SAW_SYN_SENT))) {
dirStr[1] = '?';
}
- if ((tcp->status & ARGUS_SAW_SYN) || (tcp->status & ARGUS_SAW_SYN_SENT)) {
+ if ((tcp->status & ARGUS_RESET) || (tcp->status & ARGUS_NORMAL_CLOSE)
+ || (tcp->status & (ARGUS_FIN | ARGUS_FIN_ACK)) || (tcp->status & ARGUS_NORMAL_CLOSE)) {
+ dirStr[0] = ' ';
+ dirStr[2] = '>';
+ } else
+ if (argus->hdr.cause & ARGUS_TIMEOUT) {
+ dirStr[0] = '<';
+ dirStr[2] = '>';
+ } else
+ if (tcp->status & ARGUS_CON_ESTABLISHED) {
+ dirStr[0] = ' ';
+ dirStr[2] = '>';
+ } else
+ if (tcp->status & ARGUS_SAW_SYN_SENT) {
+ dirStr[0] = '<';
+ dirStr[2] = ' ';
+ } else
+ if (tcp->status & ARGUS_SAW_SYN) {
dirStr[0] = ' ';
dirStr[2] = '>';
}
@@ -10489,12 +10506,18 @@
}
} else {
+ struct ArgusMetricStruct *metric = (struct ArgusMetricStruct *)argus->dsrs[ARGUS_METRIC_INDEX];
+
if (status & ARGUS_RESET) sprintf (ArgusStatusBuf, "RST"); else
+ if (status & ARGUS_NORMAL_CLOSE) sprintf (ArgusStatusBuf, "CLO"); else
if (status & ARGUS_FIN) sprintf (ArgusStatusBuf, "FIN"); else
if (status & ARGUS_FIN_ACK) sprintf (ArgusStatusBuf, "FIN"); else
- if (status & ARGUS_NORMAL_CLOSE) sprintf (ArgusStatusBuf, "CLO"); else
if (argus->hdr.cause & ARGUS_TIMEOUT) sprintf (ArgusStatusBuf, "TIM"); else
- if (status & ARGUS_CON_ESTABLISHED) sprintf (ArgusStatusBuf, "CON"); else
+ if (status & ARGUS_CON_ESTABLISHED) {
+ if (metric && (metric->src.bytes == 0) && (metric->dst.bytes == 0))
+ sprintf (ArgusStatusBuf, "STA"); else
+ sprintf (ArgusStatusBuf, "CON");
+ } else
if (status & ARGUS_SAW_SYN_SENT) sprintf (ArgusStatusBuf, "ACC"); else
if (status & ARGUS_SAW_SYN) sprintf (ArgusStatusBuf, "REQ");
}
@@ -13162,6 +13185,7 @@
case ARGUS_V2_START: argus->hdr.cause = ARGUS_START; break;
case ARGUS_V2_STATUS: argus->hdr.cause = ARGUS_STATUS; break;
case ARGUS_V2_STOP: argus->hdr.cause = ARGUS_STOP; break;
+ case ARGUS_V2_TIMEOUT:argus->hdr.cause = ARGUS_TIMEOUT; break;
}
argus->hdr.len = 1;
----- end patch ------------
Cedric
> -----Message d'origine-----
> De : argus-info-bounces at lists.andrew.cmu.edu
> Envoyé : vendredi 18 août 2006 12:37
> Objet : RE: [ARGUS] a curiousity ...
>
> Hey Peter,
>
> > I was (am) poking at the direction and status codes on
> > 2.0.6 to 3.0 conversion because it is about the only non
> working part
> > left. [...]
>
> Well, IMHO maybe this is a good thing that v3 directions are
> not the same as v2.
> Argus-v2 directions are a bit hard to fully understand (at
> least for me, see attached doc I once tried to write (it's
> maybe outdated since the lastest patches against 2.0.6)).
>
> Now with v3, directions seem much simplier (so simple that I
> suspect a bug in ArgusPrintDir for IPv4 TCP flows, as they
> are not treated the same way as IPv6 flows).
>
> However, here is an attempt to reproduce v2 directions &
> status on argus v3.rc25 (I only modified directions for IPv4
> TCP flows)
>
> ------------------------------
...
> ---------------
>
> I hope this can be useful in some way
> Cedric
>
More information about the argus
mailing list