argus-clients-3.0.0.rc.17
Peter Van Epp
vanepp at sfu.ca
Wed Jul 12 12:48:05 EDT 2006
We are much closer :-). rc.17 looks to have fixed icmp (and the
apparant shutdown when it hit icmp in a v2 file). The window stuff seems to
have fallen off though (both unsigned and window multiplier not being 0ed).
There is a patch on the end that fixes these two. I think we want to remove
the tests of the form "|| (vlan->sid > 0)" in the various vlan print routines.
VLAN 0 is legal (if unusual, it is the default VLAN on our switches which would
usually make it an error) and if we have a VLAN tag then any value should be
legal and displayed. I'm not sure that V2 isn't in fact incorrect in the one
below (I'd need to look at the tcpdump output) because nothing should be on
VLAN 0 in our case but if we really have something in there I expect it should
be displayed.
swin 17173 1409286144
dvlan 0x0000
line: 497 fields in error: swin,dvlan,duser,
1151432920.109687,1151432920.313670,1,0.203983,0.203983,64.180.17.158,142.58.211
.84,tcp,61158,80,0,0,255,255,1032,2409,6,6,40473.96,94478.46,29.41,29.41,0.0000,
0.0000,3848370891,q,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,0.000000,57382.969717,FIN,
,d[16]="HTTP/1.1200OK.",17173,0,196371,,,0x00d3,0x0000,0x0e72
1151432920.109687,1151432920.313670,1,0.203983,0.203983,64.180.17.158,142.58.211
.84,tcp,61158,80,0,0,255,255,1032,2409,6,6,40473.961,94478.461,29.414,29.414,0,0
,229.97.122.203, v ,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,57382.57,FIN,,d[16]
="HTTP/1.1 200 OK.",1409286144,0,196371,,,0x00d3,,0x0e72,0x0e72
swin 65535 -67108864
dvlan 0x0000
line: 498 fields in error: swin,dvlan,duser,
1151432920.105273,1151432920.360119,1,0.254846,0.254846,205.250.173.13,142.58.21
1.84,tcp,51398,80,0,0,255,255,1190,6239,9,9,37355.89,195851.61,35.32,35.32,0.000
0,0.0000,3848370891,q,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,0.000000,44076.967869,FI
N,,d[16]="HTTP/1.1200OK.",65535,0,196370,,,0x00d3,0x0000,0xce8d
1151432920.105273,1151432920.360119,1,0.254846,0.254846,205.250.173.13,142.58.21
1.84,tcp,51398,80,0,0,255,255,1190,6239,9,9,37355.891,195851.609,35.315,35.315,0
,0,229.97.122.203, v ,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,44076.59,FIN,,d[1
6]="HTTP/1.1 200 OK.",-67108864,0,196370,,,0x00d3,,0xce8d,0xce8d
ICMP port numbers are printing in V3 which they shouldn't be (they were
counts in V2 I think) but may want to in V3 for some other reason. The loss
should be 100% I think since no replies were received but is in practice 0
(no code there to calculate loss I don't think):
sport 8
dport 0
dloss 100.0000 0
line: 14 fields in error: dport,dloss,sport,
1151432499.169776,1151433399.232974,1,900.063198,900.063198,142.58.215.98,142.58
.103.20,icmp,,,0,0,255,0,514,0,7,0,4.57,0.00,0.01,0.00,0.0000,100.0000,384837089
1,q,0:11:43:c1:b3:3f,0:11:88:5:5d:1d,->,,,ECO,s[16]="...S....ABCDEFGH",,,,18864,
,,0x80d7,,0xffff
1151432499.169776,1151433399.232974,1,900.063198,900.063171,142.58.215.98,142.58
.103.20,icmp,8,0,0,0,255,0,514,0,7,0,4.569,0.000,0.008,0.000,0,0,229.97.122.203,
v ,0:11:43:c1:b3:3f,0:11:88:5:5d:1d,->,,,ECO,s[16]="...S....ABCDEFGH",,,,
18864,,,0x80d7,,0xffff,0xffff
arp looks good (I'll have to try and find one of the rarp entries :-)).
state INT REQ
line: 41 fields in error: state,dtos,sttl,dir,dttl,stos,
1151432453.704173,1151432453.704173,1,0.000000,0.000000,142.58.209.114,142.58.20
9.96,arp,,,0,0,0,0,64,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,3848370891,q,0:d0:b
7:1a:7f:73,ff:ff:ff:ff:ff:ff,who-has,,,INT,s[16]=".:.`............",,,,18829,,,0
x8200,,
1151432453.704173,1151432453.704173,1,0.000000,0.000000,142.58.209.114,142.58.20
9.96,arp,,,,,,,64,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,0:d
0:b7:1a:7f:73,ff:ff:ff:ff:ff:ff,who,,,REQ,s[16]=".:.`............",,,,18829,,,0x
8200,,,
Don't know which loss calculation is correct here:
sloss 7.1429 0
dvlan 0x0000
line: 43 fields in error: sloss,dvlan,duser,
1151432453.694309,1151432456.659529,1,2.965220,2.965220,154.20.50.167,142.58.217
.11,tcp,60785,80,0,0,255,255,2229,1217,14,10,6013.72,3283.40,4.72,3.37,7.1429,0.
0000,3848370891,qs,0:50:da:93:0:5f,0:11:88:5:5d:1d,->,0.000000,726745.225435,FIN
,,d[16]="HTTP/1.1200OK.",17083,0,18827,,,0x0200,0x0000,0x09a2
1151432453.694309,1151432456.659529,1,2.965220,2.965220,154.20.50.167,142.58.217
.11,tcp,60785,80,0,0,255,255,2229,1217,14,10,6013.719,3283.399,4.721,3.372,0,0,2
29.97.122.203, vs ,0:50:da:93:0:5f,0:11:88:5:5d:1d,->,,726745.15,FIN,,d[16]
="HTTP/1.1 200 OK.",17083,0,18827,,,0x0200,,0x09a2,0x09a2
Looks like I spoke to soon on icmp, ECR looks incorrect:
sport 8
dport 0
sloss 100.0000 0
state ECR ECO
dvlan 0x0000
line: 180 fields in error: state,dport,sloss,dvlan,sport,
1151432498.469403,1151433416.767165,1,918.297762,918.297762,142.58.211.84,206.25
1.233.109,icmp,,,0,0,64,0,288,0,3,0,2.51,0.00,0.00,0.00,100.0000,0.0000,38483708
91,q,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,,ECR,s[16]="..).....l]......",,,,18593,,
,0x80d3,,0xffff
1151432498.469403,1151433416.767165,1,918.297762,918.297791,142.58.211.84,206.25
1.233.109,icmp,8,0,0,0,64,0,288,0,3,0,2.509,0.000,0.003,0.000,0,0,229.97.122.203
, v ,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,,ECO,s[16]="..).....l]......",,,,1
8593,,,0x80d3,0x0000,0xffff,0xffff
looks like the V2 jitter is incorrect (probably a divide by 0):
sloss 6.9767 0
dloss 1.9231 0
sjit nan 283.955196
line: 184 fields in error: dloss,dir,sloss,sjit,
1151432453.179297,1151433425.553945,1,972.374648,972.374648,142.58.197.151,142.5
8.201.38,tcp,139,1225,0,0,255,255,42358,81390,172,208,348.49,669.62,0.18,0.21,6.
9767,1.9231,3848370891,q*,0:40:10:16:a8:b6,0:11:88:5:5d:1d,?>,nan,45788955.89735
2,CON,s[16]="....#.SMBq......",d[16]="...#.SMBq.......",65358,64249,18588,,,0x82
00,0x8200,0xa776
1151432453.179297,1151433425.553945,1,972.374648,972.374634,142.58.197.151,142.5
8.201.38,tcp,139,1225,0,0,255,255,42358,81390,172,208,348.491,669.618,0.177,0.21
4,0,0,229.97.122.203, v* ,0:40:10:16:a8:b6,0:11:88:5:5d:1d,<?>,283.955196,4
5788955.39,CON,s[16]="....#.SMBq......",d[16]="...#.SMBq.......",65358,64249,185
88,,,0x8200,0x8200,0xa776,0xa776
its a little unhappy with an llc frame (although by and large correct):
sport 0
dport 0
state CON INT
line: 197 fields in error: state,dport,dtos,proto,sttl,dttl,sport,stos,
1151432453.124692,1151432453.124692,1,0.000000,0.000000,0:e0:63:82:59:b,ab:0:0:2
:0:0,decr,,,0,0,0,0,80,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,3848370891,q,0:e0:
63:82:59:b,ab:0:0:2:0:0,->,,,CON,s[16]="<..............A",,,,18575,,,0x0286,,
1151432453.124692,1151432453.124692,1,0.000000,0.000000,0:e0:63:82:59:b,ab:0:0:2
:0:0,33024,0,0,,,,,80,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v
,0:e0:63:82:59:b,ab:0:0:2:0:0,->,,,INT,s[16]="<..............A",,,,18575,,,0x028
6,,,
and rarp appears to have problems:
%ra -Fra2.conf.full -r rarp2.argus
StartTime,LastTime,Trans,Dur,AvgDur,SrcAddr,DstAddr,Type,Sport,Dport,SrcTOS,DstTOS,SrcTTL,DstTTL,SrcBytes,DstBytes,SrcPkt,DstPkt,Src_bps,Dst_bps,Src_pps,Dst_pps,Src_Loss,Dst_Loss,ProbeId,Flgs,SrcMacAddr,DstMacAddr,Dir,SrcJitter,DstJitter,State,srcUdata,dstUdata,SrcWin,DstWin,Seq,sMPLS,dMPLS,sVLAN,dVLAN,IpId
1152722854.270658,1152722854.271563,,0.000905,0.000905,229.97.122.203,1,man,v2.0,0,0,0,0,0,0,0,0,0,-0.00,-0.00,0.00,0.00,,3848370891,,,,,,,STA,,,,,0,,,,,
Segmentation fault (core dumped)
%ra3 -Fra3.conf.full -r rarp2.argus
StartTime,LastTime,Trans,Dur,AvgDur,SrcAddr,DstAddr,Proto,Sport,Dport,sTos,dTos,sTtl,dTtl,SrcBytes,DstBytes,SrcPkts,DstPkts,Src_bps,Dst_bps,Src_pps,Dst_pps,SrcLoss,DstLoss,SrcId,Flgs,SrcMac,DstMac,Dir,SrcJitter,DstJitter,State,srcUdata,dstUdata,SrcWin,DstWin,Seq,sMpls,dMpls,sVlan,dVlan,sIpId,dIpId
1151432432.069082,1151432432.069082,1,0.000000,0.000000,0.0.0.0,254.32.0.8,arp,,,,,,,68,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, v ,8:0:20:fe:f1:47,ff:ff:ff:ff:ff:ff,who,,,REQ,,,,,1,,,0x0200,,,
1152722854.271563,1152722854.274918, ,0.003355,,0,4294967295,man,0,67108930,,,,,4294967295,589823,1,0,0.000,0.000,0.000,0.000,,,0.0.0.0, ,,,,,,SHT,,,,,2,,,,,,
%tcpdump -r rarp.tcp -n
reading from file rarp.tcp, link-type EN10MB (Ethernet)
11:20:32.069082 rarp who-is 08:00:20:fe:f1:47 tell 08:00:20:fe:f1:47
%
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
*** common/argus_util.c.orig Wed Jul 12 08:35:52 2006
--- common/argus_util.c Wed Jul 12 08:41:51 2006
***************
*** 6241,6247 ****
switch (flow->ip_flow.ip_p) {
case IPPROTO_TCP: {
int win = tcp->src.win << tcp->src.winshift;
! sprintf (winbuf, "%d", win);
break;
}
default:
--- 6241,6247 ----
switch (flow->ip_flow.ip_p) {
case IPPROTO_TCP: {
int win = tcp->src.win << tcp->src.winshift;
! sprintf (winbuf, "%u", win);
break;
}
default:
***************
*** 6253,6259 ****
switch (flow->ipv6_flow.ip_p) {
case IPPROTO_TCP: {
int win = tcp->src.win << tcp->src.winshift;
! sprintf (winbuf, "%d", win);
break;
}
default:
--- 6253,6259 ----
switch (flow->ipv6_flow.ip_p) {
case IPPROTO_TCP: {
int win = tcp->src.win << tcp->src.winshift;
! sprintf (winbuf, "%u", win);
break;
}
default:
***************
*** 6303,6309 ****
switch (flow->ip_flow.ip_p) {
case IPPROTO_TCP: {
int win = tcp->dst.win << tcp->src.winshift;
! sprintf (winbuf, "%d", win);
break;
}
default:
--- 6303,6309 ----
switch (flow->ip_flow.ip_p) {
case IPPROTO_TCP: {
int win = tcp->dst.win << tcp->src.winshift;
! sprintf (winbuf, "%u", win);
break;
}
default:
***************
*** 6315,6321 ****
switch (flow->ipv6_flow.ip_p) {
case IPPROTO_TCP: {
int win = tcp->dst.win << tcp->src.winshift;
! sprintf (winbuf, "%d", win);
break;
}
default:
--- 6315,6321 ----
switch (flow->ipv6_flow.ip_p) {
case IPPROTO_TCP: {
int win = tcp->dst.win << tcp->src.winshift;
! sprintf (winbuf, "%u", win);
break;
}
default:
***************
*** 12797,12802 ****
--- 12797,12803 ----
tcp->src.status = 0; tcp->src.seq = 0;
tcp->src.ack = 0; tcp->src.winnum = 0;
tcp->src.winbytes = 0; tcp->src.state = 0;
+ tcp->src.winshift = 0;
tcp->dst.seqbase = nv2tcp->dst.seqbase;
tcp->dst.ackbytes = nv2tcp->dst.ackbytes;
tcp->dst.bytes = nv2tcp->dst.bytes;
***************
*** 12806,12811 ****
--- 12807,12813 ----
tcp->dst.status = 0; tcp->dst.seq = 0;
tcp->dst.ack = 0; tcp->dst.winnum = 0;
tcp->dst.winbytes = 0; tcp->dst.state = 0;
+ tcp->dst.winshift = 0;
dsr += net->hdr.argus_dsrvl8.len;
argus->hdr.len += net->hdr.argus_dsrvl8.len;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rarp.tcp
Type: application/octet-stream
Size: 108 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060712/553d92f9/attachment.obj>
More information about the argus
mailing list