argus-clients-3.0.0.rc.15
Carter Bullard
carter at qosient.com
Mon Jul 10 12:13:03 EDT 2006
Hey Peter,
The ARGUS_ICMP_DSR provides the information when a flow
has an ICMP packet mapped to it, primarily for unreachables,
so we can know what intermediate node (inode) complained.
This is useful for traceroute tracking, but also for loop detection
and analysis. In this case, the flow key and the network layer
info are the values for the flow parent.
You are interested in getting the ARGUS_NETWORK_DSR right
when the flow is an ICMP flow (flow->flow_union.ip.ip_p ==
IPPROTO_ICMP).
The ARGUS_NETWORK_DSR (network layer info) should be
populated with all the available information, probably after
the options status flags are set right.
I'll put it in now.
Carter
On Jul 10, 2006, at 11:22 AM, Peter Van Epp wrote:
> In addition to the user data printing, I also haven't been able to
> figure out how to cause common/argus_util.c:ArgusConvertRecord to
> put the
> icmp data in to net->net.union.icmp where the data handling routine is
> expecting to find it (and thus thinks everything is an ECR when the
> type field
> is the default 0). This doesn't seem to work:
>
> case ARGUS_V2_ICMP_DSR_STATUS: {
> struct ArgusV2ICMPObject *nv2icmp = (struct
> ArgusV2ICMPO
> bject *)hdrs[ARGUS_V2_ICMP_DSR_INDEX];
> struct ArgusV2FarStruct *far = (struct
> ArgusV2FarStruct
> *)hdrs[ARGUS_V2_FAR_DSR_INDEX];
> struct ArgusNetworkStruct *net = (struct
> ArgusNetworkStr
> uct *) dsr;
> struct ArgusIcmpStruct *icmp = (struct
> ArgusIcmpStruct *
> ) &net->net_union.icmp;
>
> icmp->hdr.type = ARGUS_NETWORK_DSR;
> icmp->hdr.subtype = 0;
> ...
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060710/f0bfd8b8/attachment.html>
More information about the argus
mailing list