rc.35 backward compatibility issues
Philipp E. Letschert
phil at uni-koblenz.de
Tue Dec 12 08:50:39 EST 2006
Hi,
attached patch should fix that issue, tested with 2.0 and 3.0 files where loss
was recorded. Please confirm that it doesn't break other stuff.
I also added the routine to print the total loss percantage (ploss), that never
showed up either for 2.0 or 3.0 files.
Then I noticed that there are no routines to report ICMP_IPV6 loss, but i didn't
touch this.
Bye, Philipp
On Tue, Dec 12, 2006 at 01:12:31PM +0000, carter at qosient.com wrote:
> Hey Robin,
> That may not have been addressed, although sometimes, when you fix one bug, you get several as a bonus :o)
> If not, I may need some specific test records that express the problem, so if anyone sees the issue, or any problems, don't hesitate to send a few records my way!!!
>
> Carter
>
> Carter Bullard
> QoSient LLC
> 150 E. 57th Street Suite 12D
> New York, New York 10022
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
> -----Original Message-----
> From: Robin Gruyters <r.gruyters at yirdis.nl>
> Date: Tue, 12 Dec 2006 12:21:02
> To:argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] rc.35 backward compatibility issues
>
> Hi ya,
>
> I have just downloaded .rc36 and was wondering if the backward
> compatibility with [s|d]loss was fixed..
>
> Regards,
>
> Robin Gruyters
> Network and Security Engineer
> Yirdis B.V.
> I: http://yirdis.com
> P: +31 (0)36 5300394
> F: +31 (0)36 5489119
>
>
> Quoting Carter Bullard <carter at qosient.com>:
>
> > Hey Philipp,
> > Yes, you are correct, the man record processing may seem a bit weird,
> > and there is a very long story to explain the current state of
> > affairs, that result in client programs not seeing "INIT" man records.
> >
> > However, I suspect that we should do something that doesn't generate
> > confusion. So, I'll put in initial man record counting, and we'll see how
> > that goes.
> >
> > I thought we fixed the [s|d]appbytes 2.x processing? Do you have a small
> > set of records ( >= 1) that shows the error?
> >
> > And, I'm not aware of the srcid getting screwed up, so if you have a set
> > of records that show that, and what the number is suppose to be, that
> > would be most excellent.
> >
> > Carter
> >
> >
> > On Nov 18, 2006, at 12:40 PM, Philipp E. Letschert wrote:
> >
> >> When reading 2.0.6 logfiles with ra 3.x I noticed two oddities:
> >>
> >> - some of the 'man' records are not read at all, so the number of
> >> records is not
> >> in sync with the output of racount. It looks that the missed ones are the
> >> first entries, that are generated when argus starts and creates or
> >> appends to
> >> a logfile.
> >> Probably as a result of this, most of the 'srcid' entries are screwed up.
> >> There are addresses like 5.0.0.66, 5.112.0.66, 5.168.0.66 and so on.
> >>
> >> - when reading 2.0.6 files with ra 3.x the entries for loss, sloss
> >> and dloss are
> >> always zero, even when loss was recorded
> >>
> >> I can live with that - just to let you know...
> >>
> >>
>
>
>
--
/-\
C oo "Das beste Werkzeug wird zum Tand in eines tumben Toren Hand."
_( ^) Daniel Düsentrieb
/ -\
-------------- next part --------------
*** argus_util.c.orig 2006-12-12 14:36:46.432612592 +0100
--- argus_util.c 2006-12-12 14:37:56.347983840 +0100
***************
*** 5807,5813 ****
struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
unsigned int status;
! if ((tcp != NULL) && ((status = tcp->state) != 0)) {
if (pkts) {
loss = tcp->src.retrans;
pkts = (argus->canon.metric.src.pkts - loss);
--- 5807,5813 ----
struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
unsigned int status;
! if ((tcp != NULL) && ((status = tcp->status) != 0)) {
if (pkts) {
loss = tcp->src.retrans;
pkts = (argus->canon.metric.src.pkts - loss);
***************
*** 5844,5850 ****
struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
unsigned int status;
! if ((tcp != NULL) && ((status = tcp->state) != 0)) {
if (pkts) {
loss = tcp->src.retrans;
pkts = (argus->canon.metric.src.pkts - loss);
--- 5844,5850 ----
struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
unsigned int status;
! if ((tcp != NULL) && ((status = tcp->status) != 0)) {
if (pkts) {
loss = tcp->src.retrans;
pkts = (argus->canon.metric.src.pkts - loss);
***************
*** 5932,5938 ****
struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
unsigned int status;
! if ((tcp != NULL) && ((status = tcp->state) != 0)) {
if (argus->canon.metric.dst.pkts) {
loss = tcp->dst.retrans;
pkts = (argus->canon.metric.dst.pkts - loss);
--- 5932,5938 ----
struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
unsigned int status;
! if ((tcp != NULL) && ((status = tcp->status) != 0)) {
if (argus->canon.metric.dst.pkts) {
loss = tcp->dst.retrans;
pkts = (argus->canon.metric.dst.pkts - loss);
***************
*** 5962,5968 ****
struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
unsigned int status;
! if ((tcp != NULL) && ((status = tcp->state) != 0)) {
if (argus->canon.metric.dst.pkts) {
loss = tcp->dst.retrans;
pkts = (argus->canon.metric.dst.pkts - loss);
--- 5962,5968 ----
struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
unsigned int status;
! if ((tcp != NULL) && ((status = tcp->status) != 0)) {
if (argus->canon.metric.dst.pkts) {
loss = tcp->dst.retrans;
pkts = (argus->canon.metric.dst.pkts - loss);
***************
*** 6052,6058 ****
struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
unsigned int status;
! if ((tcp != NULL) && ((status = tcp->state) != 0)) {
if (argus->canon.metric.src.pkts || argus->canon.metric.dst.pkts) {
loss = tcp->src.retrans + tcp->dst.retrans;
pkts = (argus->canon.metric.src.pkts + argus->canon.metric.dst.pkts) - loss;
--- 6052,6058 ----
struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
unsigned int status;
! if ((tcp != NULL) && ((status = tcp->status) != 0)) {
if (argus->canon.metric.src.pkts || argus->canon.metric.dst.pkts) {
loss = tcp->src.retrans + tcp->dst.retrans;
pkts = (argus->canon.metric.src.pkts + argus->canon.metric.dst.pkts) - loss;
***************
*** 6082,6088 ****
struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
unsigned int status;
! if ((tcp != NULL) && ((status = tcp->state) != 0)) {
if (argus->canon.metric.dst.pkts || argus->canon.metric.dst.pkts) {
loss = tcp->src.retrans + tcp->dst.retrans;
pkts = (argus->canon.metric.dst.pkts + argus->canon.metric.dst.pkts) - loss;
--- 6082,6088 ----
struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
unsigned int status;
! if ((tcp != NULL) && ((status = tcp->status) != 0)) {
if (argus->canon.metric.dst.pkts || argus->canon.metric.dst.pkts) {
loss = tcp->src.retrans + tcp->dst.retrans;
pkts = (argus->canon.metric.dst.pkts + argus->canon.metric.dst.pkts) - loss;
***************
*** 6158,6164 ****
struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
unsigned int status;
! if ((tcp != NULL) && ((status = tcp->state) != 0)) {
if (argus->canon.metric.src.pkts)
loss = tcp->src.retrans;
}
--- 6158,6164 ----
struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
unsigned int status;
! if ((tcp != NULL) && ((status = tcp->status) != 0)) {
if (argus->canon.metric.src.pkts)
loss = tcp->src.retrans;
}
***************
*** 6190,6196 ****
struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
unsigned int status;
! if ((tcp != NULL) && ((status = tcp->state) != 0)) {
if (argus->canon.metric.src.pkts)
loss = tcp->src.retrans;
}
--- 6190,6196 ----
struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
unsigned int status;
! if ((tcp != NULL) && ((status = tcp->status) != 0)) {
if (argus->canon.metric.src.pkts)
loss = tcp->src.retrans;
}
***************
*** 6256,6262 ****
struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
unsigned int status;
! if ((tcp != NULL) && ((status = tcp->state) != 0)) {
if (argus->canon.metric.dst.pkts)
loss = tcp->dst.retrans;
}
--- 6256,6262 ----
struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
unsigned int status;
! if ((tcp != NULL) && ((status = tcp->status) != 0)) {
if (argus->canon.metric.dst.pkts)
loss = tcp->dst.retrans;
}
***************
*** 6284,6290 ****
struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
unsigned int status;
! if ((tcp != NULL) && ((status = tcp->state) != 0)) {
if (argus->canon.metric.dst.pkts)
loss = tcp->dst.retrans;
}
--- 6284,6290 ----
struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
unsigned int status;
! if ((tcp != NULL) && ((status = tcp->status) != 0)) {
if (argus->canon.metric.dst.pkts)
loss = tcp->dst.retrans;
}
***************
*** 6324,6331 ****
--- 6324,6400 ----
{
int len = RaPrintAlgorithmTable[ARGUSPRINTDSTPERCENTLOSS].length;
char tmpbuf[64], *ptr = tmpbuf;
+ unsigned int loss = 0, pkts = 1;
bzero (tmpbuf, sizeof(tmpbuf));
+ if (argus->hdr.type & ARGUS_MAR) {
+
+ } else {
+ struct ArgusFlow *flow = (struct ArgusFlow *)&argus->canon.flow;
+ switch (flow->hdr.subtype & 0x3F) {
+ case ARGUS_FLOW_CLASSIC5TUPLE: {
+ switch ((flow->hdr.argus_dsrvl8.qual & 0x7F)) {
+ case ARGUS_TYPE_IPV4: {
+ switch (argus->canon.flow.ip_flow.ip_p) {
+ case IPPROTO_UDP: {
+ if (argus->canon.net.hdr.subtype == ARGUS_RTP_FLOW) {
+ struct ArgusRTPObject *rtp = (void *)&argus->canon.net.net_union.rtp;
+ loss = rtp->sdrop + rtp->ddrop;
+ }
+ }
+
+ case IPPROTO_ICMP: {
+ break;
+ }
+ case IPPROTO_TCP: {
+ struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
+ unsigned int status;
+
+ if ((tcp != NULL) && ((status = tcp->status) != 0)) {
+ if (argus->canon.metric.dst.pkts)
+ loss = tcp->src.retrans + tcp->dst.retrans;
+ }
+ break;
+ }
+ }
+ break;
+ }
+
+ case ARGUS_TYPE_IPV6: {
+ switch (flow->ipv6_flow.ip_p) {
+ case IPPROTO_UDP: {
+ if (argus->canon.net.hdr.subtype == ARGUS_RTP_FLOW) {
+ struct ArgusRTPObject *rtp = (void *)&argus->canon.net.net_union.rtp;
+ loss = rtp->sdrop + rtp->ddrop;
+ }
+ break;
+ }
+
+ case IPPROTO_ICMP: {
+ break;
+ }
+
+ case IPPROTO_TCP: {
+ struct ArgusTCPObject *tcp = (void *)&argus->canon.net.net_union.tcp;
+ unsigned int status;
+
+ if ((tcp != NULL) && ((status = tcp->status) != 0)) {
+ if (argus->canon.metric.dst.pkts)
+ loss = tcp->src.retrans + tcp->dst.retrans;
+ }
+ break;
+ }
+ }
+ }
+ }
+ break;
+ }
+ }
+ if ((pkts = argus->canon.metric.dst.pkts) > 0)
+ sprintf (ptr, "%2.4f", (float)(loss * 100.0)/((pkts + loss) * 1.0));
+ else
+ sprintf (ptr, "%2.4f", 0.0);
+ }
if ((parser->RaFieldDelimiter != ' ') && (parser->RaFieldDelimiter != '\0')) {
switch (parser->RaFieldWidth) {
More information about the argus
mailing list