fix against rc.27 clients
Peter Van Epp
vanepp at sfu.ca
Fri Aug 25 00:06:13 EDT 2006
I haven't been getting as much time to play lately, but since (ignoring
direction and state as usual :-)) two problems showing up, I fixed one tonight:
%./ra_test.pl eflag.argus
flgs2 = E
flgs32 =
line: 1 fields in error: flgs,
1151432739.311116,1151432742.431802,1,3.120686,3.120686,142.58.211.84,205.188.212.249,tcp,59972,80,0,0,255,255,1586,1467,1160,1111,7,6,4065.77,3760.71,2.24,1.92,0.0000,0.0000,3848370891,qDE,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,1218134.039513,RST,s[16]="GET/17789/aim/e",,0,0,124168,,,0x00d3,0x00d3,0x0000
1151432739.311116,1151432742.431802,1,3.120686,3.120686,142.58.211.84,205.188.212.249,tcp,59972,80,0,0,255,255,1586,1467,1160,1111,7,6,4065.773,3760.711,2.243,1.923,0,0,229.97.122.203, v D ,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,1218134.04,RST,s[16]="GET /17789/aim/e",,0,0,124168,,,0x00d3,0x00d3,0x0000,0x0000
What is happening here is that the window shut flag is overwriting the
ecn congestion flag in 3.0 because the slots in the buffer are being re used.
To fix it I created the map of flags to buffer locations (assuming anything
that had a unique flag in the record could occur all at once and thus needs its
own slot in the field). Assuming there isn't something depending on the exact
placement of the flags this seems to fit them all in to the 9 slots available
only reusing slots in cases of a unique branch through the code (and as a bonus
the test case fills slot 9 so we can see the corner case displays correctly :-)):
buf[0] T (timeadjust)
buf[1] m (mpls)
buf[2] v vlan
buf[3] G gre (commented out)
buf[4] I icmp mapped
and one of:
ARGUS_TYPE_IPV4
buf[5] F frag
or IPPROTO_TCP
buf[6] out of order
buf[7] retrans
buf[8] E ECN_CONGESTED
buf[9] @ ARGUS_WINDOW_SHUT
or IPPROTO_ESP
buf[6] Drops
buf[7] Out of order
or ARGUS_TYPE_IPV6
buf[5] F frag
or IPPROTO_TCP
buf[6] retrans
The patched rc.27 no longer shows the error and the ra3 output
indicates buf[9] prints correctly:
%./ra_test.pl eflag.argus
%ra3 -Fra3.conf.full -r eflag.argus
StartTime,LastTime,Trans,Dur,AvgDur,SrcAddr,DstAddr,Proto,Sport,Dport,sTos,dTos,sTtl,dTtl,SrcBytes,DstBytes,SAppBytes,DAppBytes,SrcPkts,DstPkts,Src_bps,Dst_bps,Src_pps,Dst_pps,SrcLoss,DstLoss,SrcId,Flgs,SrcMac,DstMac,Dir,SrcJitter,DstJitter,State,srcUdata,dstUdata,SrcWin,DstWin,Seq,sMpls,dMpls,sVlan,dVlan,sIpId,dIpId
1151432739.311116,1151432742.431802,1,3.120686,3.120686,142.58.211.84,205.188.212.249,tcp,59972,80,0,0,255,255,1586,1467,1160,1111,7,6,4065.773,3760.711,2.243,1.923,0,0,229.97.122.203, v ED,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,1218134.04,RST,s[16]="GET /17789/aim/e",,0,0,124168,,,0x00d3,0x00d3,0x0000,0x0000
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
*** common/argus_util.c.orig Thu Aug 24 19:37:03 2006
--- common/argus_util.c Thu Aug 24 20:40:27 2006
***************
*** 2137,2150 ****
buf[0] = 'T';
if (argus->dsrs[ARGUS_MPLS_INDEX] != NULL)
! buf[0] = 'm';
if (argus->dsrs[ARGUS_VLAN_INDEX] != NULL)
! buf[1] = 'v';
/*
if ((encaps = argus->dsrs[ARGUS_ENCAPS_INDEX]) != NULL) {
if (encaps->types & ARGUS_ENCAPS_GRE) {
! buf[2] = 'G';
}
}
*/
--- 2137,2150 ----
buf[0] = 'T';
if (argus->dsrs[ARGUS_MPLS_INDEX] != NULL)
! buf[1] = 'm';
if (argus->dsrs[ARGUS_VLAN_INDEX] != NULL)
! buf[2] = 'v';
/*
if ((encaps = argus->dsrs[ARGUS_ENCAPS_INDEX]) != NULL) {
if (encaps->types & ARGUS_ENCAPS_GRE) {
! buf[3] = 'G';
}
}
*/
***************
*** 2167,2209 ****
if (status & ARGUS_OUTOFORDER) {
if ((status & ARGUS_SRC_OUTOFORDER) && (status & ARGUS_DST_OUTOFORDER))
! buf[2] = '&';
else {
if (status & ARGUS_SRC_OUTOFORDER)
! buf[2] = 'i';
if (status & ARGUS_DST_OUTOFORDER)
! buf[2] = 'r';
}
}
if (status & ARGUS_PKTS_RETRANS) {
if ((status & ARGUS_SRC_PKTS_RETRANS) && (status & ARGUS_DST_PKTS_RETRANS))
! buf[2] = '*';
else {
if (status & ARGUS_SRC_PKTS_RETRANS)
! buf[2] = 's';
if (status & ARGUS_DST_PKTS_RETRANS)
! buf[2] = 'd';
}
}
if (status & ARGUS_ECN_CONGESTED) {
if ((status & ARGUS_SRC_CONGESTED) && (status & ARGUS_DST_CONGESTED))
! buf[3] = 'E';
else {
if (status & ARGUS_SRC_CONGESTED)
! buf[3] = 'x';
if (status & ARGUS_DST_CONGESTED)
! buf[3] = 't';
}
}
if (status & ARGUS_WINDOW_SHUT) {
if ((status & ARGUS_SRC_WINDOW_SHUT) && (status & ARGUS_DST_WINDOW_SHUT))
! buf[3] = '@';
else {
if (status & ARGUS_SRC_WINDOW_SHUT)
! buf[3] = 'S';
if (status & ARGUS_DST_WINDOW_SHUT)
! buf[3] = 'D';
}
}
break;
--- 2167,2209 ----
if (status & ARGUS_OUTOFORDER) {
if ((status & ARGUS_SRC_OUTOFORDER) && (status & ARGUS_DST_OUTOFORDER))
! buf[6] = '&';
else {
if (status & ARGUS_SRC_OUTOFORDER)
! buf[6] = 'i';
if (status & ARGUS_DST_OUTOFORDER)
! buf[6] = 'r';
}
}
if (status & ARGUS_PKTS_RETRANS) {
if ((status & ARGUS_SRC_PKTS_RETRANS) && (status & ARGUS_DST_PKTS_RETRANS))
! buf[7] = '*';
else {
if (status & ARGUS_SRC_PKTS_RETRANS)
! buf[7] = 's';
if (status & ARGUS_DST_PKTS_RETRANS)
! buf[7] = 'd';
}
}
if (status & ARGUS_ECN_CONGESTED) {
if ((status & ARGUS_SRC_CONGESTED) && (status & ARGUS_DST_CONGESTED))
! buf[8] = 'E';
else {
if (status & ARGUS_SRC_CONGESTED)
! buf[8] = 'x';
if (status & ARGUS_DST_CONGESTED)
! buf[8] = 't';
}
}
if (status & ARGUS_WINDOW_SHUT) {
if ((status & ARGUS_SRC_WINDOW_SHUT) && (status & ARGUS_DST_WINDOW_SHUT))
! buf[9] = '@';
else {
if (status & ARGUS_SRC_WINDOW_SHUT)
! buf[9] = 'S';
if (status & ARGUS_DST_WINDOW_SHUT)
! buf[9] = 'D';
}
}
break;
***************
*** 2218,2239 ****
unsigned char status = net->hdr.argus_dsrvl8.qual;
if (status & ARGUS_PKTS_DROP) {
if ((status & ARGUS_SRC_PKTS_DROP) && (status & ARGUS_DST_PKTS_DROP))
! buf[2] = '*';
else {
if (status & ARGUS_SRC_PKTS_DROP)
! buf[2] = 's';
if (status & ARGUS_DST_PKTS_DROP)
! buf[2] = 'd';
}
}
if (status & ARGUS_OUTOFORDER) {
if ((status & ARGUS_SRC_OUTOFORDER) && (status & ARGUS_DST_OUTOFORDER))
! buf[2] = '&';
else {
if (status & ARGUS_SRC_OUTOFORDER)
! buf[2] = 'i';
if (status & ARGUS_DST_OUTOFORDER)
! buf[2] = 'r';
}
}
--- 2218,2239 ----
unsigned char status = net->hdr.argus_dsrvl8.qual;
if (status & ARGUS_PKTS_DROP) {
if ((status & ARGUS_SRC_PKTS_DROP) && (status & ARGUS_DST_PKTS_DROP))
! buf[6] = '*';
else {
if (status & ARGUS_SRC_PKTS_DROP)
! buf[6] = 's';
if (status & ARGUS_DST_PKTS_DROP)
! buf[6] = 'd';
}
}
if (status & ARGUS_OUTOFORDER) {
if ((status & ARGUS_SRC_OUTOFORDER) && (status & ARGUS_DST_OUTOFORDER))
! buf[7] = '&';
else {
if (status & ARGUS_SRC_OUTOFORDER)
! buf[7] = 'i';
if (status & ARGUS_DST_OUTOFORDER)
! buf[7] = 'r';
}
}
***************
*** 2253,2264 ****
struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)&net->net_union.tcp;
if (tcp->src.status & ARGUS_PKTS_RETRANS) {
if ((tcp->status & ARGUS_SRC_PKTS_RETRANS) && (tcp->status & ARGUS_DST_PKTS_RETRANS))
! buf[2] = '*';
else {
if (tcp->status & ARGUS_SRC_PKTS_RETRANS)
! buf[2] = 's';
if (tcp->status & ARGUS_DST_PKTS_RETRANS)
! buf[2] = 'd';
}
}
break;
--- 2253,2264 ----
struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)&net->net_union.tcp;
if (tcp->src.status & ARGUS_PKTS_RETRANS) {
if ((tcp->status & ARGUS_SRC_PKTS_RETRANS) && (tcp->status & ARGUS_DST_PKTS_RETRANS))
! buf[6] = '*';
else {
if (tcp->status & ARGUS_SRC_PKTS_RETRANS)
! buf[6] = 's';
if (tcp->status & ARGUS_DST_PKTS_RETRANS)
! buf[6] = 'd';
}
}
break;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eflag.argus
Type: application/octet-stream
Size: 516 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060824/5e967f27/attachment.obj>
More information about the argus
mailing list