argus-clients rc.26
Peter Van Epp
vanepp at sfu.ca
Sat Aug 19 22:43:46 EDT 2006
Looks pretty good so far. A few nits here and there that need poking
at if I ignore state and direction which are still pretty different. Output
from clients.rc.26 on my 2.0.6 test file. I;'ll post the patches to 2.0.6
and the perl script that runs the tests so more people can play :-) after this
message.
There looks to be something fairly wrong on my 64 bit test machine
against my 2.0.6 production machine (the 3.0 side looks to be missing a fair
amount of data) but I haven't yet tried the two against a tcpdump file to see
what happens.
%./ra_test.pl rs178.2.argus
flgs2 = s
flgs32 =
(change in esp handling, ignorable)
line: 1026 fields in error: flgs,
1151432430.055001,1151433528.697155,1,1098.642154,1098.642154,208.38.3.62,142.58.213.62,esp,0,16248,0,0,52,0,1385072,0,1193096,0,5052,0,10085.70,0.00,4.60,0.00,0.0000,0.0000,3848370891,qs,0:11:88:5:5d:1d,0:10:db:73:dd:51,->,841639.000000,,INT,s[16]="x?`X4........v$.",,,,7469,,,0x0200,,0x5b5f
1151432430.055001,1151433528.697155,1,1098.642154,1098.642212,208.38.3.62,142.58.213.62,esp,,1532968824,0,,52,,1385072,0,1193096,0,5052,0,10085.700,0.000,4.598,0.000,0,0,229.97.122.203, v ,0:11:88:5:5d:1d,0:10:db:73:dd:51,->,841639.000000,,INT,s[16]="x?`X4........v$.",,,,7469,,,0x0200,,0x5b5f,
sport 0xe 232
dport 0xe 232
(field size truncation in 2.0.6 ignorable)
line: 18705 fields in error: dport,sport,
1151432461.841994,1151432461.841994,1,0.000000,0.000000,0:9:6b:b7:9c:10,3:0:8:0:0:0,llc,0xe,0xe,,,,,64,0,43,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,3848370891,q,0:9:6b:b7:9c:10,3:0:8:0:0:0,->,,,INT,s[16]="..CC............",,,,21725,,,0x8200,,
1151432461.841994,1151432461.841994,1,0.000000,0.000000,0:9:6b:b7:9c:10,3:0:8:0:0:0,llc,0xe8,0xe8,,,,,64,0,43,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,0:9:6b:b7:9c:10,3:0:8:0:0:0,->,,,INT,s[16]="..CC............",,,,21725,,,0x8200,,,
sport 0x4 69
line: 18808 fields in error: sport,
1151432462.064964,1151432462.064964,1,0.000000,0.000000,0:0:4:48:6c:df,4:48:6c:df:0:0,llc,0x4,nul,,,,,122,0,104,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,3848370891,,4:48:6c:df:0:0,0:0:4:48:6c:df,->,,,INT,s[16]=".. at ...ZF.:......",,,,19445,,,,,
1151432462.064964,1151432462.064964,1,0.000000,0.000000,0:0:4:48:6c:df,4:48:6c:df:0:0,llc,0x45,*,,,,,122,0,104,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, ,4:48:6c:df:0:0,0:0:4:48:6c:df,->,,,INT,s[16]=".. at ...ZF.:......",,,,19445,,,,,,
sport 0x4 69
line: 30618 fields in error: sport,
1151432494.066806,1151432494.066806,1,0.000000,0.000000,0:0:4:e4:d9:d5,4:e4:d9:d5:0:0,llc,0x4,nul,,,,,122,0,104,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,3848370891,,4:e4:d9:d5:0:0,0:0:4:e4:d9:d5,->,,,INT,s[16]=".. at ...ZF.:......",,,,29615,,,,,
1151432494.066806,1151432494.066806,1,0.000000,0.000000,0:0:4:e4:d9:d5,4:e4:d9:d5:0:0,llc,0x45,*,,,,,122,0,104,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, ,4:e4:d9:d5:0:0,0:0:4:e4:d9:d5,->,,,INT,s[16]=".. at ...ZF.:......",,,,29615,,,,,,
sport 65535
(may be a 3.0 bug, there don't look to be dest packets and therefore
shouldn't be a dest port)
line: 80205 fields in error: sport,
1151432633.891051,1151432633.891051,1,0.000000,0.000000,64.231.58.119,142.58.65.252,udp,,5436,0,0,113,0,109,0,63,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,3848370891,q,0:11:88:5:5d:1d,0:14:51:7a:b:b1,->,,,INT,s[16]="...A...&....N.t.",,,,62171,,,0x0286,,0x16f2
1151432633.891051,1151432633.891051,1,0.000000,0.000000,64.231.58.119,142.58.65.252,udp,65535,5436,0,,113,,109,0,63,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,0:11:88:5:5d:1d,0:14:51:7a:b:b1,->,,,INT,s[16]="...A...&....N.t.",,,,62171,,,0x0286,,0x16f2,
flgs2 = E
flgs32 =
(Don't look to process the E flag correctly in 3.0)
line: 111474 fields in error: flgs,
1151432739.311116,1151432742.431802,1,3.120686,3.120686,142.58.211.84,205.188.212.249,tcp,59972,80,0,0,255,255,1586,1467,1160,1111,7,6,4065.77,3760.71,2.24,1.92,0.0000,0.0000,3848370891,qDE,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,1218134.039513,RST,s[16]="GET/17789/aim/e",,0,0,124168,,,0x00d3,0x00d3,0x0000
1151432739.311116,1151432742.431802,1,3.120686,3.120686,142.58.211.84,205.188.212.249,tcp,59972,80,0,0,255,255,1586,1467,1160,1111,7,6,4065.773,3760.711,2.243,1.923,0,0,229.97.122.203, v D ,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,1218134.04,RST,s[16]="GET /17789/aim/e",,0,0,124168,,,0x00d3,0x00d3,0x0000,0x0000
flgs2 = E
flgs32 =
line: 116335 fields in error: flgs,
1151432749.496770,1151432749.774155,1,0.277385,0.277385,142.58.211.84,205.188.212.249,tcp,60790,80,0,0,255,255,2008,8409,1350,7763,11,11,57912.29,242522.13,39.66,39.66,0.0000,0.0000,3848370891,qDE,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,30875.360322,RST,s[16]="GET/17789/Scrip",,0,0,128868,,,0x00d3,0x00d3,0x0000
1151432749.496770,1151432749.774155,1,0.277385,0.277385,142.58.211.84,205.188.212.249,tcp,60790,80,0,0,255,255,2008,8409,1350,7763,11,11,57912.289,242522.125,39.656,39.656,0,0,229.97.122.203, v D ,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,30875.36,RST,s[16]="GET /17789/Scrip",,0,0,128868,,,0x00d3,0x00d3,0x0000,0x0000
flgs2 = E
flgs32 =
line: 121155 fields in error: flgs,
1151432763.997988,1151432764.344024,1,0.346036,0.346036,142.58.211.84,205.188.212.249,tcp,33260,80,0,0,255,255,2206,11225,1374,10463,14,13,51000.47,259510.57,40.46,37.57,0.0000,0.0000,3848370891,qDE,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,31473.981125,RST,s[16]="GET/17789/Scrip",,0,64161,135474,,,0x00d3,0x00d3,0x0000
1151432763.997988,1151432764.344024,1,0.346036,0.346036,142.58.211.84,205.188.212.249,tcp,33260,80,0,0,255,255,2206,11225,1374,10463,14,13,51000.477,259510.578,40.458,37.568,0,0,229.97.122.203, v D ,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,31473.43,RST,s[16]="GET /17789/Scrip",,0,64161,135474,,,0x00d3,0x00d3,0x0000,0x0000
flgs2 = E
flgs32 =
line: 122811 fields in error: flgs,
1151432768.885077,1151432769.494176,1,0.609099,0.609099,142.58.211.84,205.188.212.249,tcp,33486,80,0,0,255,255,1900,4221,1358,3749,9,8,24954.89,55439.26,14.78,13.13,0.0000,0.0000,3848370891,qDE,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,103072.282881,RST,s[16]="GET/17789/Scrip",,0,0,137344,,,0x00d3,0x00d3,0x0000
1151432768.885077,1151432769.494176,1,0.609099,0.609099,142.58.211.84,205.188.212.249,tcp,33486,80,0,0,255,255,1900,4221,1358,3749,9,8,24954.895,55439.266,14.776,13.134,0,0,229.97.122.203, v D ,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,103071.88,RST,s[16]="GET /17789/Scrip",,0,0,137344,,,0x00d3,0x00d3,0x0000,0x0000
sport 0
dport 0
(need to add pri- to perl script)
line: 150642 fields in error: dport,sport,
1151432860.448561,1151433389.602865,1,529.154304,529.154304,10.10.10.10,255.255.255.255,pri-,0,0,0,0,0,0,1170,0,600,0,15,0,17.69,0.00,0.03,0.00,0.0000,0.0000,3848370891,q,0:9:ef:1:39:c1,ff:ff:ff:ff:ff:ff,->,,,INT,s[16]="WLANforwarding",,,,170682,,,0x0286,,0x0000
1151432860.448561,1151433389.602865,1,529.154304,529.154297,10.10.10.10,255.255.255.255,pri-enc,,,0,,0,,1170,0,600,0,15,0,17.689,0.000,0.028,0.000,0,0,229.97.122.203, v ,0:9:ef:1:39:c1,ff:ff:ff:ff:ff:ff,->,,,INT,s[16]="WLAN forwarding ",,,,170682,,,0x0286,,0x0000,
sport 65535
line: 166572 fields in error: sport,
1151432904.763956,1151432904.763956,1,0.000000,0.000000,24.80.60.28,142.58.65.252,udp,,5436,0,0,120,0,109,0,63,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,3848370891,q,0:11:88:5:5d:1d,0:14:51:7a:b:b1,->,,,INT,s[16]="..S.>.......?.`x",,,,157763,,,0x0286,,0x37d0
1151432904.763956,1151432904.763956,1,0.000000,0.000000,24.80.60.28,142.58.65.252,udp,65535,5436,0,,120,,109,0,63,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,0:11:88:5:5d:1d,0:14:51:7a:b:b1,->,,,INT,s[16]="..S.>.......?.`x",,,,157763,,,0x0286,,0x37d0,
dport 65535
line: 166573 fields in error: dport,
1151432904.769220,1151432904.769220,1,0.000000,0.000000,142.58.65.252,24.80.60.28,udp,5436,,0,0,64,0,282,0,236,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,3848370891,q,0:14:51:7a:b:b1,0:11:88:5:5d:1d,->,,,INT,s[16]="....?.`x..S.>...",,,,172090,,,0x0286,,0x87b2
1151432904.769220,1151432904.769220,1,0.000000,0.000000,142.58.65.252,24.80.60.28,udp,5436,65535,0,,64,,282,0,236,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,0:14:51:7a:b:b1,0:11:88:5:5d:1d,->,,,INT,s[16]="....?.`x..S.>...",,,,172090,,,0x0286,,0x87b2,
sport 65535
line: 168437 fields in error: sport,
1151432909.276319,1151432909.276367,1,0.000048,0.000048,142.58.154.47,142.58.158.23,udp,,55660,0,0,255,0,228,0,136,0,2,0,38000000.00,0.00,41666.67,0.00,0.0000,0.0000,3848370891,q,0:d:93:3a:ea:52,0:11:88:5:5d:1d,->,,,INT,s[16]="....D.........en",,,,173993,,,0x8200,,0x140c
1151432909.276319,1151432909.276367,1,0.000048,0.000048,142.58.154.47,142.58.158.23,udp,65535,55660,0,,255,,228,0,136,0,2,0,38000000.000,0.000,41666.664,0.000,0,0,229.97.122.203, v ,0:d:93:3a:ea:52,0:11:88:5:5d:1d,->,,,INT,s[16]="....D.........en",,,,173993,,,0x8200,,0x140c,
dport 65535
line: 193458 fields in error: dport,
1151432982.011009,1151432982.011009,1,0.000000,0.000000,142.58.65.252,203.59.16.16,udp,5436,,0,0,64,0,88,0,42,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,3848370891,q,0:14:51:7a:b:b1,0:11:88:5:5d:1d,->,,,INT,s[16]="....D.x.....$..7",,,,204455,,,0x0286,,0x8ac3
1151432982.011009,1151432982.011009,1,0.000000,0.000000,142.58.65.252,203.59.16.16,udp,5436,65535,0,,64,,88,0,42,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,0:14:51:7a:b:b1,0:11:88:5:5d:1d,->,,,INT,s[16]="....D.x.....$..7",,,,204455,,,0x0286,,0x8ac3,
djit 73945.757215 73827.01
(round off error in int to float conversion, ignorable)
line: 208131 fields in error: djit,
1151433024.339674,1151433529.078258,1,504.738584,504.738584,142.58.62.247,66.36.75.14,tcp,50664,80,0,0,255,255,4433,6353,225,2215,60,59,70.26,100.69,0.12,0.12,0.0000,0.0000,3848370891,q,0:d:93:ea:6:66,0:11:88:5:5d:1d,->,,73945.757215,CON,s[16]="GET/SERVICE/SQU",,0,27,246528,,,0x0282,0x0282,0x0000
1151433024.339674,1151433529.078258,1,504.738584,504.738586,142.58.62.247,66.36.75.14,tcp,50664,80,0,0,255,255,4433,6353,225,2215,60,59,70.262,100.694,0.119,0.117,0,0,229.97.122.203, v ,0:d:93:ea:6:66,0:11:88:5:5d:1d,->,,73827.01,CON,s[16]="GET /SERVICE/SQU",,0,27,246528,,,0x0282,0x0282,0x0000,0x0000
srate 3018666666.67 3018666496.000
(ditto)
line: 233600 fields in error: srate,
1151433105.350181,1151433105.350187,1,0.000006,0.000006,142.58.160.80,156.26.176.107,udp,26635,48056,0,0,128,0,2264,0,2172,0,2,0,3018666666.67,0.00,333333.33,0.00,0.0000,0.0000,3848370891,q,0:12:3f:98:40:82,0:11:88:5:5d:1d,->,,,INT,s[16]=".-?.S.....!.u.6.",,,,280338,,,0x8200,,0xbb94
1151433105.350181,1151433105.350187,1,0.000006,0.000006,142.58.160.80,156.26.176.107,udp,26635,48056,0,,128,,2264,0,2172,0,2,0,3018666496.000,0.000,333333.312,0.000,0,0,229.97.122.203, v ,0:12:3f:98:40:82,0:11:88:5:5d:1d,->,,,INT,s[16]=".-?.S.....!.u.6.",,,,280338,,,0x8200,,0xbb94,
sport 65535
line: 255653 fields in error: sport,
1151433169.736866,1151433169.736866,1,0.000000,0.000000,218.2.196.99,142.58.65.252,udp,,5436,0,0,46,0,111,0,65,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,3848370891,q,0:11:88:5:5d:1d,0:14:51:7a:b:b1,->,,,INT,s[16]="....d at .H......D.",,,,268713,,,0x0286,,0x83df
1151433169.736866,1151433169.736866,1,0.000000,0.000000,218.2.196.99,142.58.65.252,udp,65535,5436,0,,46,,111,0,65,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,0:11:88:5:5d:1d,0:14:51:7a:b:b1,->,,,INT,s[16]="....d at .H......D.",,,,268713,,,0x0286,,0x83df,
dport 65535
line: 255656 fields in error: dport,
1151433169.741320,1151433169.741320,1,0.000000,0.000000,142.58.65.252,218.2.196.99,udp,5436,,0,0,64,0,256,0,210,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,3848370891,q,0:14:51:7a:b:b1,0:11:88:5:5d:1d,->,,,INT,s[16]="......D.....d at .H",,,,291952,,,0x0286,,0x965f
1151433169.741320,1151433169.741320,1,0.000000,0.000000,142.58.65.252,218.2.196.99,udp,5436,65535,0,,64,,256,0,210,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,0:14:51:7a:b:b1,0:11:88:5:5d:1d,->,,,INT,s[16]="......D.....d at .H",,,,291952,,,0x0286,,0x965f,
sport 0xe 232
dport 0xe 232
line: 273046 fields in error: dport,sport,
1151433222.033117,1151433222.033117,1,0.000000,0.000000,0:4:ac:d5:a6:44,3:0:8:0:0:0,llc,0xe,0xe,,,,,64,0,43,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,3848370891,q,0:4:ac:d5:a6:44,3:0:8:0:0:0,->,,,INT,s[16]="........56965380",,,,329098,,,0x8200,,
1151433222.033117,1151433222.033117,1,0.000000,0.000000,0:4:ac:d5:a6:44,3:0:8:0:0:0,llc,0xe8,0xe8,,,,,64,0,43,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,0:4:ac:d5:a6:44,3:0:8:0:0:0,->,,,INT,s[16]="........56965380",,,,329098,,,0x8200,,,
dport 65535
line: 314234 fields in error: dport,
1151433350.871677,1151433350.871677,1,0.000000,0.000000,142.58.65.252,206.248.153.19,udp,5436,,0,0,64,0,109,0,63,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,3848370891,q,0:14:51:7a:b:b1,0:11:88:5:5d:1d,->,,,INT,s[16]=".Zu..h......$..z",,,,362796,,,0x0286,,0xab5d
1151433350.871677,1151433350.871677,1,0.000000,0.000000,142.58.65.252,206.248.153.19,udp,5436,65535,0,,64,,109,0,63,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,0:14:51:7a:b:b1,0:11:88:5:5d:1d,->,,,INT,s[16]=".Zu..h......$..z",,,,362796,,,0x0286,,0xab5d,
dport 65535
line: 336306 fields in error: dport,
1151433414.180022,1151433443.808974,1,29.628952,29.628952,142.58.65.252,66.25.182.137,tcp,50435,,0,0,255,255,888,556,204,0,10,8,239.77,150.12,0.34,0.27,0.0000,0.0000,3848370891,qD,0:14:51:7a:b:b1,0:11:88:5:5d:1d,->,,4393394.987743,RST,s[16]=".BitTorrentprot",,0,65467,407760,,,0x0286,0x0286,0x0000
1151433414.180022,1151433443.808974,1,29.628952,29.628952,142.58.65.252,66.25.182.137,tcp,50435,65535,0,0,255,255,888,556,204,0,10,8,239.765,150.123,0.338,0.270,0,0,229.97.122.203, v D ,0:14:51:7a:b:b1,0:11:88:5:5d:1d,->,,4393394.56,RST,s[16]=".BitTorrent prot",,0,65467,407760,,,0x0286,0x0286,0x0000,0x0000
sport 65535
line: 361659 fields in error: sport,
1151433475.838030,1151433475.838030,1,0.000000,0.000000,66.130.186.216,142.58.65.252,udp,,5436,0,0,111,0,109,0,63,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,3848370891,q,0:11:88:5:5d:1d,0:14:51:7a:b:b1,->,,,INT,s[16]=".J..............",,,,385101,,,0x0286,,0xb497
1151433475.838030,1151433475.838030,1,0.000000,0.000000,66.130.186.216,142.58.65.252,udp,65535,5436,0,,111,,109,0,63,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,0:11:88:5:5d:1d,0:14:51:7a:b:b1,->,,,INT,s[16]=".J..............",,,,385101,,,0x0286,,0xb497,
dport 65535
line: 361664 fields in error: dport,
1151433475.844710,1151433475.844710,1,0.000000,0.000000,142.58.65.252,66.130.186.216,udp,5436,,0,0,64,0,282,0,236,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,3848370891,q,0:14:51:7a:b:b1,0:11:88:5:5d:1d,->,,,INT,s[16]=".........J......",,,,416033,,,0x0286,,0xb8f3
1151433475.844710,1151433475.844710,1,0.000000,0.000000,142.58.65.252,66.130.186.216,udp,5436,65535,0,,64,,282,0,236,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,0:14:51:7a:b:b1,0:11:88:5:5d:1d,->,,,INT,s[16]=".........J......",,,,416033,,,0x0286,,0xb8f3,
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list