fix against rc.27 clients
Carter Bullard
carter at qosient.com
Fri Aug 25 12:16:17 EDT 2006
Hey Peter,
Hmmmm, there is nothing wrong with the existing strategy for overloading
columns, as the current strategy tries to prioritize the flags to
provide
indications of say QoS impact (flow control is a bigger deal than ECN
when it comes to degradation of throughput, as an example). We don't
want to use tooo many characters for the flags, but we want to convey
some semantics as hints as to what is going on with the flows.
The current strategy isn't perfect, so I'd be willing to try to re-
define
how to use the flags, and figure out if its going to work. My criteria
for use is based on using ratop() as a 'screen' and using the flags
field to toggle attributes on flows that are peristent (so watching
the drops flag change every 2-5 seconds is helpful), and to see as
much operational and performance related attributes so that at a
glance we can tell if this flow is healthy or not.
Here is a list that I've come up with as an example change for
the flags, (modified from the ra.1 man page). This has a layer
taxonomy, in that left to right you go up the stack, columns are
overloaded at the same stack layer, and based on probability
of collision, and the order is an implied priority order, so you
can see who in a particular column will win if there is a collision.
T - Time Corrected/Adjusted
M - Multiple physical layer paths
m - MPLS encapsulated flow
p - PPP over Enternet encapsulated flow
v - VLAN encapsulations/tags
G - GRE encapsulations/tags
I - ICMP events mapped to this flow
U - ICMP Unreachable event mapped to this flow
R - ICMP Redirect event mapped to this flow
T - ICMP Time Exceeded mapped to this flow
V - Fragment overlap seen
f - Partial Fragment
F - Fragments seen
O - multiple IP options set
S - IP option Strict Source Route
L - IP option Loose Source Route
T - IP option Time Stamp
+ - IP option Security
R - IP option Record Route
A - IP option Router Alert
U - unknown IP options set
* - Both Src and Dst TCP retransmissions
s - Src TCP packet retransmissions
d - Dst TCP packet retransmissions
& - Both Src and Dst packet out of order
i - Src TCP packets out of order
r - Dst TCP packets out of order
@ - Both Src and Dst Window Closure
S - Src TCP Window Closure
D - Dst TCP Window Closure
E - Both Src and Dst ECN
x - Src TCP Explicit Congestion Notification
t - Dst TCP ECN
Make a suggestion/change/whatever/opinion, just don't be idle!!!!!
Carter
On Aug 25, 2006, at 12:06 AM, Peter Van Epp wrote:
> I haven't been getting as much time to play lately, but since
> (ignoring
> direction and state as usual :-)) two problems showing up, I fixed
> one tonight:
>
>
> %./ra_test.pl eflag.argus
> flgs2 = E
> flgs32 =
>
> line: 1 fields in error: flgs,
> 1151432739.311116,1151432742.431802,1,3.120686,3.120686,142.58.211.84,
> 205.188.212.249,tcp,
> 59972,80,0,0,255,255,1586,1467,1160,1111,7,6,4065.77,3760.71,2.24,1.92
> ,0.0000,0.0000,3848370891,qDE,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,
> 1218134.039513,RST,s[16]="GET/17789/aim/e",,
> 0,0,124168,,,0x00d3,0x00d3,0x0000
> 1151432739.311116,1151432742.431802,1,3.120686,3.120686,142.58.211.84,
> 205.188.212.249,tcp,
> 59972,80,0,0,255,255,1586,1467,1160,1111,7,6,4065.773,3760.711,2.243,1
> .923,0,0,229.97.122.203, v D ,0:f:1f:3:f5:79,0:11:88:5:5d:1d,-
> >,,1218134.04,RST,s[16]="GET /17789/aim/e",,
> 0,0,124168,,,0x00d3,0x00d3,0x0000,0x0000
>
> What is happening here is that the window shut flag is overwriting
> the
> ecn congestion flag in 3.0 because the slots in the buffer are
> being re used.
> To fix it I created the map of flags to buffer locations (assuming
> anything
> that had a unique flag in the record could occur all at once and
> thus needs its
> own slot in the field). Assuming there isn't something depending on
> the exact
> placement of the flags this seems to fit them all in to the 9 slots
> available
> only reusing slots in cases of a unique branch through the code
> (and as a bonus
> the test case fills slot 9 so we can see the corner case displays
> correctly :-)):
>
> buf[0] T (timeadjust)
> buf[1] m (mpls)
> buf[2] v vlan
> buf[3] G gre (commented out)
> buf[4] I icmp mapped
>
> and one of:
>
> ARGUS_TYPE_IPV4
>
> buf[5] F frag
>
> or IPPROTO_TCP
>
> buf[6] out of order
> buf[7] retrans
> buf[8] E ECN_CONGESTED
> buf[9] @ ARGUS_WINDOW_SHUT
>
>
> or IPPROTO_ESP
>
> buf[6] Drops
> buf[7] Out of order
>
> or ARGUS_TYPE_IPV6
>
> buf[5] F frag
>
> or IPPROTO_TCP
>
> buf[6] retrans
>
> The patched rc.27 no longer shows the error and the ra3 output
> indicates buf[9] prints correctly:
>
> %./ra_test.pl eflag.argus
>
>
> %ra3 -Fra3.conf.full -r eflag.argus
> StartTime,LastTime,Trans,Dur,AvgDur,SrcAddr,DstAddr,Proto,Sport,Dport,
> sTos,dTos,sTtl,dTtl,SrcBytes,DstBytes,SAppBytes,DAppBytes,SrcPkts,DstP
> kts,Src_bps,Dst_bps,Src_pps,Dst_pps,SrcLoss,DstLoss,SrcId,Flgs,SrcMac,
> DstMac,Dir,SrcJitter,DstJitter,State,srcUdata,dstUdata,SrcWin,DstWin,S
> eq,sMpls,dMpls,sVlan,dVlan,sIpId,dIpId
> 1151432739.311116,1151432742.431802,1,3.120686,3.120686,142.58.211.84,
> 205.188.212.249,tcp,
> 59972,80,0,0,255,255,1586,1467,1160,1111,7,6,4065.773,3760.711,2.243,1
> .923,0,0,229.97.122.203, v ED,0:f:1f:3:f5:79,0:11:88:5:5d:1d,-
> >,,1218134.04,RST,s[16]="GET /17789/aim/e",,
> 0,0,124168,,,0x00d3,0x00d3,0x0000,0x0000
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
> *** common/argus_util.c.orig Thu Aug 24 19:37:03 2006
> --- common/argus_util.c Thu Aug 24 20:40:27 2006
> ***************
> *** 2137,2150 ****
> buf[0] = 'T';
>
> if (argus->dsrs[ARGUS_MPLS_INDEX] != NULL)
> ! buf[0] = 'm';
>
> if (argus->dsrs[ARGUS_VLAN_INDEX] != NULL)
> ! buf[1] = 'v';
> /*
> if ((encaps = argus->dsrs[ARGUS_ENCAPS_INDEX]) != NULL) {
> if (encaps->types & ARGUS_ENCAPS_GRE) {
> ! buf[2] = 'G';
> }
> }
> */
> --- 2137,2150 ----
> buf[0] = 'T';
>
> if (argus->dsrs[ARGUS_MPLS_INDEX] != NULL)
> ! buf[1] = 'm';
>
> if (argus->dsrs[ARGUS_VLAN_INDEX] != NULL)
> ! buf[2] = 'v';
> /*
> if ((encaps = argus->dsrs[ARGUS_ENCAPS_INDEX]) != NULL) {
> if (encaps->types & ARGUS_ENCAPS_GRE) {
> ! buf[3] = 'G';
> }
> }
> */
> ***************
> *** 2167,2209 ****
>
> if (status & ARGUS_OUTOFORDER) {
> if ((status & ARGUS_SRC_OUTOFORDER)
> && (status & ARGUS_DST_OUTOFORDER))
> ! buf[2] = '&';
> else {
> if (status & ARGUS_SRC_OUTOFORDER)
> ! buf[2] = 'i';
> if (status & ARGUS_DST_OUTOFORDER)
> ! buf[2] = 'r';
> }
> }
> if (status & ARGUS_PKTS_RETRANS) {
> if ((status &
> ARGUS_SRC_PKTS_RETRANS) && (status & ARGUS_DST_PKTS_RETRANS))
> ! buf[2] = '*';
> else {
> if (status &
> ARGUS_SRC_PKTS_RETRANS)
> ! buf[2] = 's';
> if (status &
> ARGUS_DST_PKTS_RETRANS)
> ! buf[2] = 'd';
> }
> }
>
> if (status & ARGUS_ECN_CONGESTED) {
> if ((status & ARGUS_SRC_CONGESTED)
> && (status & ARGUS_DST_CONGESTED))
> ! buf[3] = 'E';
> else {
> if (status & ARGUS_SRC_CONGESTED)
> ! buf[3] = 'x';
> if (status & ARGUS_DST_CONGESTED)
> ! buf[3] = 't';
> }
> }
> if (status & ARGUS_WINDOW_SHUT) {
> if ((status &
> ARGUS_SRC_WINDOW_SHUT) && (status & ARGUS_DST_WINDOW_SHUT))
> ! buf[3] = '@';
> else {
> if (status & ARGUS_SRC_WINDOW_SHUT)
> ! buf[3] = 'S';
> if (status & ARGUS_DST_WINDOW_SHUT)
> ! buf[3] = 'D';
> }
> }
> break;
> --- 2167,2209 ----
>
> if (status & ARGUS_OUTOFORDER) {
> if ((status & ARGUS_SRC_OUTOFORDER)
> && (status & ARGUS_DST_OUTOFORDER))
> ! buf[6] = '&';
> else {
> if (status & ARGUS_SRC_OUTOFORDER)
> ! buf[6] = 'i';
> if (status & ARGUS_DST_OUTOFORDER)
> ! buf[6] = 'r';
> }
> }
> if (status & ARGUS_PKTS_RETRANS) {
> if ((status &
> ARGUS_SRC_PKTS_RETRANS) && (status & ARGUS_DST_PKTS_RETRANS))
> ! buf[7] = '*';
> else {
> if (status &
> ARGUS_SRC_PKTS_RETRANS)
> ! buf[7] = 's';
> if (status &
> ARGUS_DST_PKTS_RETRANS)
> ! buf[7] = 'd';
> }
> }
>
> if (status & ARGUS_ECN_CONGESTED) {
> if ((status & ARGUS_SRC_CONGESTED)
> && (status & ARGUS_DST_CONGESTED))
> ! buf[8] = 'E';
> else {
> if (status & ARGUS_SRC_CONGESTED)
> ! buf[8] = 'x';
> if (status & ARGUS_DST_CONGESTED)
> ! buf[8] = 't';
> }
> }
> if (status & ARGUS_WINDOW_SHUT) {
> if ((status &
> ARGUS_SRC_WINDOW_SHUT) && (status & ARGUS_DST_WINDOW_SHUT))
> ! buf[9] = '@';
> else {
> if (status & ARGUS_SRC_WINDOW_SHUT)
> ! buf[9] = 'S';
> if (status & ARGUS_DST_WINDOW_SHUT)
> ! buf[9] = 'D';
> }
> }
> break;
> ***************
> *** 2218,2239 ****
> unsigned char status = net-
> >hdr.argus_dsrvl8.qual;
> if (status & ARGUS_PKTS_DROP) {
> if ((status & ARGUS_SRC_PKTS_DROP)
> && (status & ARGUS_DST_PKTS_DROP))
> ! buf[2] = '*';
> else {
> if (status & ARGUS_SRC_PKTS_DROP)
> ! buf[2] = 's';
> if (status & ARGUS_DST_PKTS_DROP)
> ! buf[2] = 'd';
> }
> }
> if (status & ARGUS_OUTOFORDER) {
> if ((status & ARGUS_SRC_OUTOFORDER)
> && (status & ARGUS_DST_OUTOFORDER))
> ! buf[2] = '&';
> else {
> if (status & ARGUS_SRC_OUTOFORDER)
> ! buf[2] = 'i';
> if (status & ARGUS_DST_OUTOFORDER)
> ! buf[2] = 'r';
> }
> }
>
> --- 2218,2239 ----
> unsigned char status = net-
> >hdr.argus_dsrvl8.qual;
> if (status & ARGUS_PKTS_DROP) {
> if ((status & ARGUS_SRC_PKTS_DROP)
> && (status & ARGUS_DST_PKTS_DROP))
> ! buf[6] = '*';
> else {
> if (status & ARGUS_SRC_PKTS_DROP)
> ! buf[6] = 's';
> if (status & ARGUS_DST_PKTS_DROP)
> ! buf[6] = 'd';
> }
> }
> if (status & ARGUS_OUTOFORDER) {
> if ((status & ARGUS_SRC_OUTOFORDER)
> && (status & ARGUS_DST_OUTOFORDER))
> ! buf[7] = '&';
> else {
> if (status & ARGUS_SRC_OUTOFORDER)
> ! buf[7] = 'i';
> if (status & ARGUS_DST_OUTOFORDER)
> ! buf[7] = 'r';
> }
> }
>
> ***************
> *** 2253,2264 ****
> struct ArgusTCPObject *tcp = (struct
> ArgusTCPObject *)&net->net_union.tcp;
> if (tcp->src.status &
> ARGUS_PKTS_RETRANS) {
> if ((tcp->status &
> ARGUS_SRC_PKTS_RETRANS) && (tcp->status & ARGUS_DST_PKTS_RETRANS))
> ! buf[2] = '*';
> else {
> if (tcp->status &
> ARGUS_SRC_PKTS_RETRANS)
> ! buf[2] = 's';
> if (tcp->status &
> ARGUS_DST_PKTS_RETRANS)
> ! buf[2] = 'd';
> }
> }
> break;
> --- 2253,2264 ----
> struct ArgusTCPObject *tcp = (struct
> ArgusTCPObject *)&net->net_union.tcp;
> if (tcp->src.status &
> ARGUS_PKTS_RETRANS) {
> if ((tcp->status &
> ARGUS_SRC_PKTS_RETRANS) && (tcp->status & ARGUS_DST_PKTS_RETRANS))
> ! buf[6] = '*';
> else {
> if (tcp->status &
> ARGUS_SRC_PKTS_RETRANS)
> ! buf[6] = 's';
> if (tcp->status &
> ARGUS_DST_PKTS_RETRANS)
> ! buf[6] = 'd';
> }
> }
> break;
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060825/24fb94a4/attachment.html>
More information about the argus
mailing list