argus-3.0.0.rc.17 and argus-clients-3.0.0.rc.18
Carter Bullard
carter at qosient.com
Wed Jul 12 12:18:24 EDT 2006
Hey Peter, et. al.,
I'm uploading argus-3.0.0.rc.17 and argus-clients-3.0.0.rc.18 for
your testing pleasure. It has a lot of fixes from your last email, so
hopefully it will handle most of the inconsistencies.
I fixed argus-3.0 for arp, at least with the test data, it seems
to generate the
right results. I changed the states so they were consistent,
although I will
want to change them, but we'll do that after this round of testing.
ra3 reading argus2 icmp traffic I'm on that, and its working
properly now.
I put 'appbytes sappbytes dappbytes' back into argus and the clients
last night,
so we'll want to add that to your list for testing. That should
finish the basic
support compatibility features for argus-3.0. I still need to put
back in the
filter support for appbytes (appbytes gt 1500 and lt 1800) that kind
of thing,
but that will be a little later.
I'm sure you know, but for completeness, the lines with a lot of
fields
different are the management records, and that has/will change
considerably, but we need to figure out what fields correspond
to what between management records and data records.
Carter
On Jul 11, 2006, at 11:25 PM, Peter Van Epp wrote:
> On Tue, Jul 11, 2006 at 06:51:32PM -0400, Carter Bullard wrote:
>> The user data is fixed, and it will be up later tonight.
>>
>> I can live with dir and state field changes, as there are going to be
>> changes
>> between the two versions, but icmp state and numbers are a different
>> matter.
>>
>> On arp, looks like the [sd]ttl and [sd]tos are bogus in v2.x, as they
>> come up with
>> zero's?
>>
>> Did you send the test tcpdump file in a previous email? Could you
>> send
>> it again?
>>
>> Carter
>>
>>
>>
>
> OK, here are a couple of tcp dump files. Arp (v2 -> v3) isn't as
> broken
> as I thought, but v3 seems to have a problem:
>
> ./ra_test.pl arp2.argus
> state INT REQ
>
> line: 1 fields in error: state,dtos,sttl,dir,dttl,stos,
> 1151432428.825172,1151432428.825172,1,0.000000,0.000000,142.58.108.254
> ,142.58.108.123,arp,,,0,0,0,0,64,0,1,0,0.00,0.00,inf,
> 0.00,0.0000,0.0000,3848370891,q,
> 0:1:f4:6:98:42,ff:ff:ff:ff:ff:ff,who-has,,,INT,,,,,1,,,0xe217,,
> 1151432428.825172,1151432428.825172,1,0.000000,0.000000,142.58.108.254
> ,142.58.108.123,arp,,,,,,,
> 64,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,
> 0:1:f4:6:98:42,ff:ff:ff:ff:ff:ff,who,,,REQ,,,,,1,,,0xe217,,,
>
> state INT REQ
>
> line: 2 fields in error: state,dtos,sttl,dir,dttl,stos,
> 1151432428.802020,1151432428.802020,1,0.000000,0.000000,142.58.213.28,
> 57.61.61.63,arp,,,0,0,0,0,64,0,1,0,0.00,0.00,inf,
> 0.00,0.0000,0.0000,3848370891,q,0:30:c1:8b:fb:
> 5b,ff:ff:ff:ff:ff:ff,who-has,,,INT,,,,,2,,,0x8200,,
> 1151432428.802020,1151432428.802020,1,0.000000,0.000000,142.58.213.28,
> 57.61.61.63,arp,,,,,,,
> 64,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,
> 0:30:c1:8b:fb:5b,ff:ff:ff:ff:ff:ff,who,,,REQ,,,,,2,,,0x8200,,,
>
> state INT REQ
>
> line: 3 fields in error: state,dtos,sttl,dir,dttl,stos,
> 1151432428.809495,1151432428.809495,1,0.000000,0.000000,142.58.213.87,
> 57.61.61.63,arp,,,0,0,0,0,64,0,1,0,0.00,0.00,inf,
> 0.00,0.0000,0.0000,3848370891,q,0:30:c1:8f:
> 75:53,ff:ff:ff:ff:ff:ff,who-has,,,INT,,,,,3,,,0x8200,,
> 1151432428.809495,1151432428.809495,1,0.000000,0.000000,142.58.213.87,
> 57.61.61.63,arp,,,,,,,
> 64,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,
> 0:30:c1:8f:75:53,ff:ff:ff:ff:ff:ff,who,,,REQ,,,,,3,,,0x8200,,,
>
> state INT REQ
>
> line: 4 fields in error: state,dtos,sttl,dir,dttl,stos,
> 1151432429.040326,1151432429.040326,1,0.000000,0.000000,142.58.65.249,
> 142.58.65.249,arp,,,0,0,0,0,64,0,1,0,0.00,0.00,inf,
> 0.00,0.0000,0.0000,3848370891,q,
> 0:30:65:27:40:a4,ff:ff:ff:ff:ff:ff,who-has,,,INT,,,,,4,,,0x0286,,
> 1151432429.040326,1151432429.040326,1,0.000000,0.000000,142.58.65.249,
> 142.58.65.249,arp,,,,,,,
> 64,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,
> 0:30:65:27:40:a4,ff:ff:ff:ff:ff:ff,who,,,REQ,,,,,4,,,0x0286,,,
>
> state INT REQ
>
> line: 5 fields in error: state,dtos,sttl,dir,dttl,stos,
> 1151432429.081145,1151432429.081145,1,0.000000,0.000000,142.58.144.188
> ,142.58.144.254,arp,,,0,0,0,0,64,0,1,0,0.00,0.00,inf,
> 0.00,0.0000,0.0000,3848370891,q,0:6:25:79:8:4,ff:ff:ff:ff:ff:ff,who-
> has,,,INT,,,,,5,,,0x8200,,
> 1151432429.081145,1151432429.081145,1,0.000000,0.000000,142.58.144.188
> ,142.58.144.254,arp,,,,,,,
> 64,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,
> 0:6:25:79:8:4,ff:ff:ff:ff:ff:ff,who,,,REQ,,,,,5,,,0x8200,,,
>
> sport v2.0 0
> dport 0 67108930
> dloss 3848370891
> state SHT
> dwin 0
>
> line: 6 fields in error:
> sbytes,state,dport,trans,seq,dtos,dwin,dloss,sttl,daddr,dttl,saddr,dby
> tes,sport,stos,
> 1152672842.450593,1152672842.453922,,0.003329,0.003329,229.97.122.203,
> 6,man,v2.0,0,0,0,0,0,320,5,5,0,-0.00,-0.00,-0.00,0.00,,3848370891,,,,,
> ,,SHT,,,,,0,,,,,
> 1152672842.450593,1152672842.453922, ,0.003329,,0,4294967295,man,
> 0,67108930,,,,,4294967295,100728831,5,0,0.000,0.000,0.000,0.000,,,0.0.
> 0.0, ,,,,,,SHT,,,,,6,,,,,,
>
> sport v2.0 0
> dport 0 67108930
> dloss 3848370891
> state STA
> dwin 0
>
> line: 7 fields in error:
> sbytes,state,dport,trans,seq,dtos,dwin,dloss,sttl,daddr,dttl,saddr,dby
> tes,sport,stos,
> 1152673690.913334,1152673690.914062,,0.000728,0.000728,229.97.122.203,
> 1,man,v2.0,0,0,0,0,0,0,0,0,0,-0.00,-0.00,0.00,0.00,,3848370891,,,,,,,S
> TA,,,,,0,,,,,
> 1152673690.913334,1152673690.914062, ,0.000728,,0,4294967295,man,
> 0,67108930,,,,,4294967295,100728831,0,0,0.000,0.000,0.000,0.000,,,229.
> 97.122.203, ,,,,,,STA,,,,,1,,,,,,
>
> state INT REQ
>
> line: 8 fields in error: state,dtos,sttl,dir,dttl,stos,
> 1151432428.825172,1151432428.825172,1,0.000000,0.000000,142.58.108.254
> ,142.58.108.123,arp,,,0,0,0,0,64,0,1,0,0.00,0.00,inf,
> 0.00,0.0000,0.0000,3848370891,q,
> 0:1:f4:6:98:42,ff:ff:ff:ff:ff:ff,who-has,,,INT,,,,,1,,,0xe217,,
> 1151432428.825172,1151432428.825172,1,0.000000,0.000000,142.58.108.254
> ,142.58.108.123,arp,,,,,,,
> 64,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,
> 0:1:f4:6:98:42,ff:ff:ff:ff:ff:ff,who,,,REQ,,,,,1,,,0xe217,,,
>
> state INT REQ
>
> line: 9 fields in error: state,dtos,sttl,dir,dttl,stos,
> 1151432428.802020,1151432428.802020,1,0.000000,0.000000,142.58.213.28,
> 57.61.61.63,arp,,,0,0,0,0,64,0,1,0,0.00,0.00,inf,
> 0.00,0.0000,0.0000,3848370891,q,0:30:c1:8b:fb:
> 5b,ff:ff:ff:ff:ff:ff,who-has,,,INT,,,,,2,,,0x8200,,
> 1151432428.802020,1151432428.802020,1,0.000000,0.000000,142.58.213.28,
> 57.61.61.63,arp,,,,,,,
> 64,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,
> 0:30:c1:8b:fb:5b,ff:ff:ff:ff:ff:ff,who,,,REQ,,,,,2,,,0x8200,,,
>
> state INT REQ
>
> line: 10 fields in error: state,dtos,sttl,dir,dttl,stos,
> 1151432428.809495,1151432428.809495,1,0.000000,0.000000,142.58.213.87,
> 57.61.61.63,arp,,,0,0,0,0,64,0,1,0,0.00,0.00,inf,
> 0.00,0.0000,0.0000,3848370891,q,0:30:c1:8f:
> 75:53,ff:ff:ff:ff:ff:ff,who-has,,,INT,,,,,3,,,0x8200,,
> 1151432428.809495,1151432428.809495,1,0.000000,0.000000,142.58.213.87,
> 57.61.61.63,arp,,,,,,,
> 64,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,
> 0:30:c1:8f:75:53,ff:ff:ff:ff:ff:ff,who,,,REQ,,,,,3,,,0x8200,,,
>
> state INT REQ
>
> line: 11 fields in error: state,dtos,sttl,dir,dttl,stos,
> 1151432429.040326,1151432429.040326,1,0.000000,0.000000,142.58.65.249,
> 142.58.65.249,arp,,,0,0,0,0,64,0,1,0,0.00,0.00,inf,
> 0.00,0.0000,0.0000,3848370891,q,
> 0:30:65:27:40:a4,ff:ff:ff:ff:ff:ff,who-has,,,INT,,,,,4,,,0x0286,,
> 1151432429.040326,1151432429.040326,1,0.000000,0.000000,142.58.65.249,
> 142.58.65.249,arp,,,,,,,
> 64,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,
> 0:30:65:27:40:a4,ff:ff:ff:ff:ff:ff,who,,,REQ,,,,,4,,,0x0286,,,
>
> state INT REQ
>
> line: 12 fields in error: state,dtos,sttl,dir,dttl,stos,
> 1151432429.081145,1151432429.081145,1,0.000000,0.000000,142.58.144.188
> ,142.58.144.254,arp,,,0,0,0,0,64,0,1,0,0.00,0.00,inf,
> 0.00,0.0000,0.0000,3848370891,q,0:6:25:79:8:4,ff:ff:ff:ff:ff:ff,who-
> has,,,INT,,,,,5,,,0x8200,,
> 1151432429.081145,1151432429.081145,1,0.000000,0.000000,142.58.144.188
> ,142.58.144.254,arp,,,,,,,
> 64,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,
> 0:6:25:79:8:4,ff:ff:ff:ff:ff:ff,who,,,REQ,,,,,5,,,0x8200,,,
>
> sport v2.0 0
> dport 0 67108930
> dloss 3848370891
> state SHT
> dwin 0
>
> line: 13 fields in error:
> sbytes,state,dport,trans,seq,dtos,dwin,dloss,sttl,daddr,dttl,saddr,dby
> tes,sport,stos,
> 1152673690.914062,1152673690.919433,,0.005371,0.005371,229.97.122.203,
> 6,man,v2.0,0,0,0,0,0,320,5,5,0,-0.00,-0.00,-0.00,0.00,,3848370891,,,,,
> ,,SHT,,,,,0,,,,,
> 1152673690.914062,1152673690.919433, ,0.005371,,0,4294967295,man,
> 0,67108930,,,,,4294967295,100728831,5,0,0.000,0.000,0.000,0.000,,,229.
> 97.122.203, ,,,,,,SHT,,,,,6,,,,,,
>
> but ra3 seems broken:
>
> ra3 -Fra3.conf.full -r arp3.argus
> StartTime,LastTime,Trans,Dur,AvgDur,SrcAddr,DstAddr,Proto,Sport,Dport,
> sTos,dTos,sTtl,dTtl,SrcBytes,DstBytes,SrcPkts,DstPkts,Src_bps,Dst_bps,
> Src_pps,Dst_pps,SrcLoss,DstLoss,SrcId,Flgs,SrcMac,DstMac,Dir,SrcJitter
> ,DstJitter,State,srcUdata,dstUdata,SrcWin,DstWin,Seq,sMpls,dMpls,sVlan
> ,dVlan,sIpId,dIpId
> 1151432428.802020,1151432428.802020,1,0.000000,0.000000,c1:8b:fb:5b:
> 0:0,39:3d:3d:3f:0:30,rarp,,,,,,,
> 64,0,1,0,0.000,0.000,0.000,0.000,0,0,0.0.0.0,
> v ,,,tel,,,REQ,,,,,0,,,0x8200,,,
> 1151432428.809495,1151432428.809495,1,0.000000,0.000000,c1:8f:
> 75:53:0:0,39:3d:3d:3f:0:30,rarp,,,,,,,
> 64,0,1,0,0.000,0.000,0.000,0.000,0,0,0.0.0.0,
> v ,,,tel,,,REQ,,,,,1,,,0x8200,,,
> 1151432428.825172,1151432428.825172,1,0.000000,0.000000,f4:6:98:42:0:0
> ,8e:3a:6c:7b:0:1,rarp,,,,,,,
> 64,0,1,0,0.000,0.000,0.000,0.000,0,0,0.0.0.0,
> v ,,,tel,,,REQ,,,,,2,,,0xe217,,,
> 1151432429.040326,1151432429.040326,1,0.000000,0.000000,142.58.65.249,
> 142.58.65.249,arp,,,,,,,
> 64,0,1,0,0.000,0.000,0.000,0.000,0,0,0.0.0.0,
> v ,,,who,,,REQ,,,,,3,,,0x0286,,,
> 1151432429.081145,1151432429.081145,1,0.000000,0.000000,142.58.144.188
> ,142.58.144.254,arp,,,,,,,
> 64,0,1,0,0.000,0.000,0.000,0.000,0,0,0.0.0.0,
> v ,,,who,,,REQ,,,,,4,,,0x8200,,,
> 1152672855.781235,1152672855.785584, ,0.004349,,0,39,man,
> 0,1,,,,,39,419048,5,6,0.000,0.000,0.000,0.000,,,0.0.0.0, ,,,,,
> ,STP,,,,,0,,,,,,
> 0.000000,1152673704.323094, ,1152673704.323094,,0,0,man,
> 0,0,,,,,0,0,0,0,0.000,0.000,0.000,0.000,,,0.0.0.0, ,,,,,,STA,,
> ,,,0,,,,,,
> 1151432428.802020,1151432428.802020,1,0.000000,0.000000,c1:8b:fb:5b:
> 0:0,39:3d:3d:3f:0:30,rarp,,,,,,,
> 64,0,1,0,0.000,0.000,0.000,0.000,0,0,0.0.0.0,
> v ,,,tel,,,REQ,,,,,0,,,0x8200,,,
> 1151432428.809495,1151432428.809495,1,0.000000,0.000000,c1:8f:
> 75:53:0:0,39:3d:3d:3f:0:30,rarp,,,,,,,
> 64,0,1,0,0.000,0.000,0.000,0.000,0,0,0.0.0.0,
> v ,,,tel,,,REQ,,,,,1,,,0x8200,,,
> 1151432428.825172,1151432428.825172,1,0.000000,0.000000,f4:6:98:42:0:0
> ,8e:3a:6c:7b:0:1,rarp,,,,,,,
> 64,0,1,0,0.000,0.000,0.000,0.000,0,0,0.0.0.0,
> v ,,,tel,,,REQ,,,,,2,,,0xe217,,,
> 1151432429.040326,1151432429.040326,1,0.000000,0.000000,142.58.65.249,
> 142.58.65.249,arp,,,,,,,
> 64,0,1,0,0.000,0.000,0.000,0.000,0,0,0.0.0.0,
> v ,,,who,,,REQ,,,,,3,,,0x0286,,,
> 1151432429.081145,1151432429.081145,1,0.000000,0.000000,142.58.144.188
> ,142.58.144.254,arp,,,,,,,
> 64,0,1,0,0.000,0.000,0.000,0.000,0,0,0.0.0.0,
> v ,,,who,,,REQ,,,,,4,,,0x8200,,,
> 1152673704.320780,1152673704.324686, ,0.003906,,0,39,man,
> 0,1,,,,,39,419048,5,6,0.000,0.000,0.000,0.000,,,0.0.0.0, ,,,,,
> ,STP,,,,,0,,,,,,
>
>
> icmp seems to be entirely broken on V3 at the moment ra3 gives no
> output on a v2 stream:
>
>
> ./ra_test.pl icmp2.argus
> smac 0:7:e9:5d:54:bc
> state ECO
> svlan 0x8200
> dipid 0x6975
>
> line: 1 fields in error:
> smac,sbytes,state,trans,seq,dtos,sipid,proto,end,daddr,sttl,start,dmac
> ,dur,spkts,dir,dpkts,dipid,dttl,saddr,dbytes,svlan,stos,
> 1151432428.911941,1151432428.911941,1,0.000000,0.000000,142.58.201.99,
> 142.58.201.254,icmp,,,0,0,64,0,102,0,1,0,0.00,0.00,inf,
> 0.00,0.0000,0.0000,3848370891,q,0:7:e9:5d:54:bc,0:11:88:5:5d:1d,-
> >,,,ECO,,,,,1,,,0x8200,,0x6975
>
>
> smac 0:7:e9:5d:54:bc
> state ECO
> svlan 0x8200
> dipid 0x6976
>
> line: 2 fields in error:
> smac,sbytes,state,trans,seq,dtos,sipid,proto,end,sttl,daddr,start,dmac
> ,spkts,dur,dir,dpkts,dipid,dttl,saddr,dbytes,svlan,stos,
> 1151432428.911946,1151432428.911946,1,0.000000,0.000000,142.58.201.99,
> 142.58.201.254,icmp,,,0,0,64,0,102,0,1,0,0.00,0.00,inf,
> 0.00,0.0000,0.0000,3848370891,q,0:7:e9:5d:54:bc,0:11:88:5:5d:1d,-
> >,,,ECO,,,,,2,,,0x8200,,0x6976
>
>
> ra3 -Fra3.conf.full -r icmp2.argus
> %
>
> but does ok on v3 output:
>
> ra3 -Fra3.conf.full -r icmp3.argus
> StartTime,LastTime,Trans,Dur,AvgDur,SrcAddr,DstAddr,Proto,Sport,Dport,
> sTos,dTos,sTtl,dTtl,SrcBytes,DstBytes,SrcPkts,DstPkts,Src_bps,Dst_bps,
> Src_pps,Dst_pps,SrcLoss,DstLoss,SrcId,Flgs,SrcMac,DstMac,Dir,SrcJitter
> ,DstJitter,State,srcUdata,dstUdata,SrcWin,DstWin,Seq,sMpls,dMpls,sVlan
> ,dVlan,sIpId,dIpId
> 1151432428.911941,1151432428.911941,1,0.000000,0.000000,142.58.201.99,
> 142.58.201.254,icmp,,,
> 0,,64,,102,0,1,0,0.000,0.000,0.000,0.000,0,100,0.0.0.0, v ,,,-
> >,,,ECO,,,,,0,,,0x8200,,0x0000,
> 1151432428.911946,1151432428.911946,1,0.000000,0.000000,142.58.201.99,
> 142.58.201.254,icmp,,,
> 0,,64,,102,0,1,0,0.000,0.000,0.000,0.000,0,100,0.0.0.0, v ,,,-
> >,,,ECO,,,,,1,,,0x8200,,0x0000,
> 1151432428.911951,1151432428.911951,1,0.000000,0.000000,142.58.201.99,
> 142.58.201.254,icmp,,,
> 0,,64,,102,0,1,0,0.000,0.000,0.000,0.000,0,100,0.0.0.0, v ,,,-
> >,,,ECO,,,,,2,,,0x8200,,0x0000,
> 1151432428.991397,1151432428.991397,1,0.000000,0.000000,142.58.173.178
> ,142.58.103.16,icmp,,,
> 0,,128,,78,0,1,0,0.000,0.000,0.000,0.000,0,100,0.0.0.0, v ,,,-
> >,,,ECO,,,,,3,,,0x8200,,0xa931,
> 1151432429.017558,1151432429.017558,1,0.000000,0.000000,142.58.96.68,1
> 42.58.103.16,icmp,,,
> 0,,31,,78,0,1,0,0.000,0.000,0.000,0.000,0,100,0.0.0.0, v ,,,-
> >,,,ECO,,,,,4,,,0x8200,,0x2884,
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
> <arp2.argus>
> <arp3.argus>
> <arp.tcp>
> <icmp2.argus>
> <icmp3.argus>
> <icmp.tcp>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060712/08ef721b/attachment.html>
More information about the argus
mailing list