a curiousity ...

Carter Bullard carter at qosient.com
Fri Aug 18 13:34:31 EDT 2006


Gentle people,
I am not going to be able to get these changes into the code until  
Sun/Mon.
But I have all the other problems resolved (or at least they seem to be
resolved).  I will incorporate these later, and go ahead and upload
rc.26 today, if that is agreeable.

Carter


On Aug 18, 2006, at 10:36 AM, VIEAU Cédric 172196 wrote:

> Hey,
>
> sorry, I've made some mistakes in my previous patch, here is the (I  
> hope) corrected one. Not perfect, but it gives better results with  
> direction and state of tcp flows.
> I had to add the case 'hdr.cause == ARGUS_TIMEOUT' for non-mar  
> records in ArgusConvertRecord.
>
> ------------------------
> --- common/argus_util.c.orig    2006-08-17 15:55:45.000000000 +0200
> +++ common/argus_util.c 2006-08-18 16:24:48.000000000 +0200
> @@ -3640,7 +3640,24 @@
>                                if (!((tcp->status & ARGUS_SAW_SYN)  
> || (tcp->status & ARGUS_SAW_SYN_SENT))) {
>                                   dirStr[1] = '?';
>                                }
> -                              if ((tcp->status & ARGUS_SAW_SYN) ||  
> (tcp->status & ARGUS_SAW_SYN_SENT)) {
> +                              if ((tcp->status & ARGUS_RESET) ||  
> (tcp->status & ARGUS_NORMAL_CLOSE)
> +                              || (tcp->status & (ARGUS_FIN |  
> ARGUS_FIN_ACK)) || (tcp->status & ARGUS_NORMAL_CLOSE)) {
> +                                 dirStr[0] = ' ';
> +                                 dirStr[2] = '>';
> +                              } else
> +                              if (argus->hdr.cause & ARGUS_TIMEOUT) {
> +                                 dirStr[0] = '<';
> +                                 dirStr[2] = '>';
> +                              } else
> +                              if (tcp->status &  
> ARGUS_CON_ESTABLISHED) {
> +                                 dirStr[0] = ' ';
> +                                 dirStr[2] = '>';
> +                              } else
> +                              if (tcp->status & ARGUS_SAW_SYN_SENT) {
> +                                 dirStr[0] = '<';
> +                                 dirStr[2] = ' ';
> +                              } else
> +                              if (tcp->status & ARGUS_SAW_SYN) {
>                                   dirStr[0] = ' ';
>                                   dirStr[2] = '>';
>                                }
> @@ -10489,12 +10506,18 @@
>        }
>
>     } else {
> +      struct ArgusMetricStruct *metric = (struct ArgusMetricStruct  
> *)argus->dsrs[ARGUS_METRIC_INDEX];
> +
>        if (status & ARGUS_RESET)             sprintf  
> (ArgusStatusBuf, "RST"); else
> +      if (status & ARGUS_NORMAL_CLOSE)      sprintf  
> (ArgusStatusBuf, "CLO"); else
>        if (status & ARGUS_FIN)               sprintf  
> (ArgusStatusBuf, "FIN"); else
>        if (status & ARGUS_FIN_ACK)           sprintf  
> (ArgusStatusBuf, "FIN"); else
> -      if (status & ARGUS_NORMAL_CLOSE)      sprintf  
> (ArgusStatusBuf, "CLO"); else
>        if (argus->hdr.cause & ARGUS_TIMEOUT) sprintf  
> (ArgusStatusBuf, "TIM"); else
> -      if (status & ARGUS_CON_ESTABLISHED)   sprintf  
> (ArgusStatusBuf, "CON"); else
> +      if (status & ARGUS_CON_ESTABLISHED) {
> +       if (metric && (metric->src.bytes == 0) && (metric- 
> >dst.bytes == 0))
> +                                           sprintf  
> (ArgusStatusBuf, "STA"); else
> +                                           sprintf  
> (ArgusStatusBuf, "CON");
> +      } else
>        if (status & ARGUS_SAW_SYN_SENT)      sprintf  
> (ArgusStatusBuf, "ACC"); else
>        if (status & ARGUS_SAW_SYN)           sprintf  
> (ArgusStatusBuf, "REQ");
>     }
> @@ -13162,6 +13185,7 @@
>                 case ARGUS_V2_START:  argus->hdr.cause =  
> ARGUS_START; break;
>                 case ARGUS_V2_STATUS: argus->hdr.cause =  
> ARGUS_STATUS; break;
>                 case ARGUS_V2_STOP:   argus->hdr.cause =  
> ARGUS_STOP; break;
> +               case ARGUS_V2_TIMEOUT:argus->hdr.cause =  
> ARGUS_TIMEOUT; break;
>              }
>
>              argus->hdr.len = 1;
> ----- end patch ------------
>
> Cedric
>
>
>> -----Message d'origine-----
>> De : argus-info-bounces at lists.andrew.cmu.edu
>> Envoyé : vendredi 18 août 2006 12:37
>> Objet : RE: [ARGUS] a curiousity ...
>>
>> Hey Peter,
>>
>>> 	I was (am) poking at the direction and status codes on
>>> 2.0.6 to 3.0 conversion because it is about the only non
>> working part
>>> left. [...]
>>
>> Well, IMHO maybe this is a good thing that v3 directions are
>> not the same as v2.
>> Argus-v2 directions are a bit hard to fully understand (at
>> least for me, see attached doc I once tried to write (it's
>> maybe outdated since the lastest patches against 2.0.6)).
>>
>> Now with v3, directions seem much simplier (so simple that I
>> suspect a bug in ArgusPrintDir for IPv4 TCP flows, as they
>> are not treated the same way as IPv6 flows).
>>
>> However, here is an attempt to reproduce v2 directions &
>> status on argus v3.rc25 (I only modified directions for IPv4
>> TCP flows)
>>
>> ------------------------------
> ...
>> ---------------
>>
>> I hope this can be useful in some way
>> Cedric
>>
>




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060818/a3adc0a2/attachment.html>


More information about the argus mailing list