a curiousity ...
Carter Bullard
carter at qosient.com
Fri Aug 18 13:34:31 EDT 2006
Gentle people,
I am not going to be able to get these changes into the code until
Sun/Mon.
But I have all the other problems resolved (or at least they seem to be
resolved). I will incorporate these later, and go ahead and upload
rc.26 today, if that is agreeable.
Carter
On Aug 18, 2006, at 10:36 AM, VIEAU Cédric 172196 wrote:
> Hey,
>
> sorry, I've made some mistakes in my previous patch, here is the (I
> hope) corrected one. Not perfect, but it gives better results with
> direction and state of tcp flows.
> I had to add the case 'hdr.cause == ARGUS_TIMEOUT' for non-mar
> records in ArgusConvertRecord.
>
> ------------------------
> --- common/argus_util.c.orig 2006-08-17 15:55:45.000000000 +0200
> +++ common/argus_util.c 2006-08-18 16:24:48.000000000 +0200
> @@ -3640,7 +3640,24 @@
> if (!((tcp->status & ARGUS_SAW_SYN)
> || (tcp->status & ARGUS_SAW_SYN_SENT))) {
> dirStr[1] = '?';
> }
> - if ((tcp->status & ARGUS_SAW_SYN) ||
> (tcp->status & ARGUS_SAW_SYN_SENT)) {
> + if ((tcp->status & ARGUS_RESET) ||
> (tcp->status & ARGUS_NORMAL_CLOSE)
> + || (tcp->status & (ARGUS_FIN |
> ARGUS_FIN_ACK)) || (tcp->status & ARGUS_NORMAL_CLOSE)) {
> + dirStr[0] = ' ';
> + dirStr[2] = '>';
> + } else
> + if (argus->hdr.cause & ARGUS_TIMEOUT) {
> + dirStr[0] = '<';
> + dirStr[2] = '>';
> + } else
> + if (tcp->status &
> ARGUS_CON_ESTABLISHED) {
> + dirStr[0] = ' ';
> + dirStr[2] = '>';
> + } else
> + if (tcp->status & ARGUS_SAW_SYN_SENT) {
> + dirStr[0] = '<';
> + dirStr[2] = ' ';
> + } else
> + if (tcp->status & ARGUS_SAW_SYN) {
> dirStr[0] = ' ';
> dirStr[2] = '>';
> }
> @@ -10489,12 +10506,18 @@
> }
>
> } else {
> + struct ArgusMetricStruct *metric = (struct ArgusMetricStruct
> *)argus->dsrs[ARGUS_METRIC_INDEX];
> +
> if (status & ARGUS_RESET) sprintf
> (ArgusStatusBuf, "RST"); else
> + if (status & ARGUS_NORMAL_CLOSE) sprintf
> (ArgusStatusBuf, "CLO"); else
> if (status & ARGUS_FIN) sprintf
> (ArgusStatusBuf, "FIN"); else
> if (status & ARGUS_FIN_ACK) sprintf
> (ArgusStatusBuf, "FIN"); else
> - if (status & ARGUS_NORMAL_CLOSE) sprintf
> (ArgusStatusBuf, "CLO"); else
> if (argus->hdr.cause & ARGUS_TIMEOUT) sprintf
> (ArgusStatusBuf, "TIM"); else
> - if (status & ARGUS_CON_ESTABLISHED) sprintf
> (ArgusStatusBuf, "CON"); else
> + if (status & ARGUS_CON_ESTABLISHED) {
> + if (metric && (metric->src.bytes == 0) && (metric-
> >dst.bytes == 0))
> + sprintf
> (ArgusStatusBuf, "STA"); else
> + sprintf
> (ArgusStatusBuf, "CON");
> + } else
> if (status & ARGUS_SAW_SYN_SENT) sprintf
> (ArgusStatusBuf, "ACC"); else
> if (status & ARGUS_SAW_SYN) sprintf
> (ArgusStatusBuf, "REQ");
> }
> @@ -13162,6 +13185,7 @@
> case ARGUS_V2_START: argus->hdr.cause =
> ARGUS_START; break;
> case ARGUS_V2_STATUS: argus->hdr.cause =
> ARGUS_STATUS; break;
> case ARGUS_V2_STOP: argus->hdr.cause =
> ARGUS_STOP; break;
> + case ARGUS_V2_TIMEOUT:argus->hdr.cause =
> ARGUS_TIMEOUT; break;
> }
>
> argus->hdr.len = 1;
> ----- end patch ------------
>
> Cedric
>
>
>> -----Message d'origine-----
>> De : argus-info-bounces at lists.andrew.cmu.edu
>> Envoyé : vendredi 18 août 2006 12:37
>> Objet : RE: [ARGUS] a curiousity ...
>>
>> Hey Peter,
>>
>>> I was (am) poking at the direction and status codes on
>>> 2.0.6 to 3.0 conversion because it is about the only non
>> working part
>>> left. [...]
>>
>> Well, IMHO maybe this is a good thing that v3 directions are
>> not the same as v2.
>> Argus-v2 directions are a bit hard to fully understand (at
>> least for me, see attached doc I once tried to write (it's
>> maybe outdated since the lastest patches against 2.0.6)).
>>
>> Now with v3, directions seem much simplier (so simple that I
>> suspect a bug in ArgusPrintDir for IPv4 TCP flows, as they
>> are not treated the same way as IPv6 flows).
>>
>> However, here is an attempt to reproduce v2 directions &
>> status on argus v3.rc25 (I only modified directions for IPv4
>> TCP flows)
>>
>> ------------------------------
> ...
>> ---------------
>>
>> I hope this can be useful in some way
>> Cedric
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060818/a3adc0a2/attachment.html>
More information about the argus
mailing list