argus-clients-3.0.0.rc.17
Carter Bullard
carter at qosient.com
Wed Jul 12 13:19:52 EDT 2006
Hmmmm, your line numbers for the patches are all off with my version
here,, and all of your suggested fixes are already in the code.
You should be using argus-clients-3.0.0.rc.18
Carter
On Jul 12, 2006, at 12:48 PM, Peter Van Epp wrote:
> We are much closer :-). rc.17 looks to have fixed icmp (and the
> apparant shutdown when it hit icmp in a v2 file). The window stuff
> seems to
> have fallen off though (both unsigned and window multiplier not
> being 0ed).
> There is a patch on the end that fixes these two. I think we want
> to remove
> the tests of the form "|| (vlan->sid > 0)" in the various vlan
> print routines.
> VLAN 0 is legal (if unusual, it is the default VLAN on our switches
> which would
> usually make it an error) and if we have a VLAN tag then any value
> should be
> legal and displayed. I'm not sure that V2 isn't in fact incorrect
> in the one
> below (I'd need to look at the tcpdump output) because nothing
> should be on
> VLAN 0 in our case but if we really have something in there I
> expect it should
> be displayed.
>
> swin 17173 1409286144
> dvlan 0x0000
>
> line: 497 fields in error: swin,dvlan,duser,
> 1151432920.109687,1151432920.313670,1,0.203983,0.203983,64.180.17.158,
> 142.58.211
> .84,tcp,
> 61158,80,0,0,255,255,1032,2409,6,6,40473.96,94478.46,29.41,29.41,0.000
> 0,
> 0.0000,3848370891,q,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,
> 0.000000,57382.969717,FIN,
> ,d[16]="HTTP/1.1200OK.",17173,0,196371,,,0x00d3,0x0000,0x0e72
> 1151432920.109687,1151432920.313670,1,0.203983,0.203983,64.180.17.158,
> 142.58.211
> .84,tcp,
> 61158,80,0,0,255,255,1032,2409,6,6,40473.961,94478.461,29.414,29.414,0
> ,0
> ,229.97.122.203, v ,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,
> 57382.57,FIN,,d[16]
> ="HTTP/1.1 200 OK.",1409286144,0,196371,,,0x00d3,,0x0e72,0x0e72
>
> swin 65535 -67108864
> dvlan 0x0000
>
> line: 498 fields in error: swin,dvlan,duser,
> 1151432920.105273,1151432920.360119,1,0.254846,0.254846,205.250.173.13
> ,142.58.21
> 1.84,tcp,
> 51398,80,0,0,255,255,1190,6239,9,9,37355.89,195851.61,35.32,35.32,0.00
> 0
> 0,0.0000,3848370891,q,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,
> 0.000000,44076.967869,FI
> N,,d[16]="HTTP/1.1200OK.",65535,0,196370,,,0x00d3,0x0000,0xce8d
> 1151432920.105273,1151432920.360119,1,0.254846,0.254846,205.250.173.13
> ,142.58.21
> 1.84,tcp,
> 51398,80,0,0,255,255,1190,6239,9,9,37355.891,195851.609,35.315,35.315,
> 0
> ,0,229.97.122.203, v ,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,
> 44076.59,FIN,,d[1
> 6]="HTTP/1.1 200 OK.",-67108864,0,196370,,,0x00d3,,0xce8d,0xce8d
>
> ICMP port numbers are printing in V3 which they shouldn't be (they
> were
> counts in V2 I think) but may want to in V3 for some other reason.
> The loss
> should be 100% I think since no replies were received but is in
> practice 0
> (no code there to calculate loss I don't think):
>
> sport 8
> dport 0
> dloss 100.0000 0
>
> line: 14 fields in error: dport,dloss,sport,
> 1151432499.169776,1151433399.232974,1,900.063198,900.063198,142.58.215
> .98,142.58
> .103.20,icmp,,,
> 0,0,255,0,514,0,7,0,4.57,0.00,0.01,0.00,0.0000,100.0000,384837089
> 1,q,0:11:43:c1:b3:3f,0:11:88:5:5d:1d,->,,,ECO,s[16]
> ="...S....ABCDEFGH",,,,18864,
> ,,0x80d7,,0xffff
> 1151432499.169776,1151433399.232974,1,900.063198,900.063171,142.58.215
> .98,142.58
> .103.20,icmp,
> 8,0,0,0,255,0,514,0,7,0,4.569,0.000,0.008,0.000,0,0,229.97.122.203,
> v ,0:11:43:c1:b3:3f,0:11:88:5:5d:1d,->,,,ECO,s[16]
> ="...S....ABCDEFGH",,,,
> 18864,,,0x80d7,,0xffff,0xffff
>
> arp looks good (I'll have to try and find one of the rarp
> entries :-)).
>
>
> state INT REQ
>
> line: 41 fields in error: state,dtos,sttl,dir,dttl,stos,
> 1151432453.704173,1151432453.704173,1,0.000000,0.000000,142.58.209.114
> ,142.58.20
> 9.96,arp,,,0,0,0,0,64,0,1,0,0.00,0.00,inf,
> 0.00,0.0000,0.0000,3848370891,q,0:d0:b
> 7:1a:7f:73,ff:ff:ff:ff:ff:ff,who-has,,,INT,s[16]
> =".:.`............",,,,18829,,,0
> x8200,,
> 1151432453.704173,1151432453.704173,1,0.000000,0.000000,142.58.209.114
> ,142.58.20
> 9.96,arp,,,,,,,64,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203,
> v ,0:d
> 0:b7:1a:7f:73,ff:ff:ff:ff:ff:ff,who,,,REQ,s[16]
> =".:.`............",,,,18829,,,0x
> 8200,,,
>
> Don't know which loss calculation is correct here:
>
> sloss 7.1429 0
> dvlan 0x0000
>
> line: 43 fields in error: sloss,dvlan,duser,
> 1151432453.694309,1151432456.659529,1,2.965220,2.965220,154.20.50.167,
> 142.58.217
> .11,tcp,
> 60785,80,0,0,255,255,2229,1217,14,10,6013.72,3283.40,4.72,3.37,7.1429,
> 0.
> 0000,3848370891,qs,0:50:da:93:0:5f,0:11:88:5:5d:1d,->,
> 0.000000,726745.225435,FIN
> ,,d[16]="HTTP/1.1200OK.",17083,0,18827,,,0x0200,0x0000,0x09a2
> 1151432453.694309,1151432456.659529,1,2.965220,2.965220,154.20.50.167,
> 142.58.217
> .11,tcp,
> 60785,80,0,0,255,255,2229,1217,14,10,6013.719,3283.399,4.721,3.372,0,0
> ,2
> 29.97.122.203, vs ,0:50:da:93:0:5f,0:11:88:5:5d:1d,->,,
> 726745.15,FIN,,d[16]
> ="HTTP/1.1 200 OK.",17083,0,18827,,,0x0200,,0x09a2,0x09a2
>
> Looks like I spoke to soon on icmp, ECR looks incorrect:
>
> sport 8
> dport 0
> sloss 100.0000 0
> state ECR ECO
> dvlan 0x0000
>
> line: 180 fields in error: state,dport,sloss,dvlan,sport,
> 1151432498.469403,1151433416.767165,1,918.297762,918.297762,142.58.211
> .84,206.25
> 1.233.109,icmp,,,
> 0,0,64,0,288,0,3,0,2.51,0.00,0.00,0.00,100.0000,0.0000,38483708
> 91,q,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,,ECR,s[16]
> ="..).....l]......",,,,18593,,
> ,0x80d3,,0xffff
> 1151432498.469403,1151433416.767165,1,918.297762,918.297791,142.58.211
> .84,206.25
> 1.233.109,icmp,
> 8,0,0,0,64,0,288,0,3,0,2.509,0.000,0.003,0.000,0,0,229.97.122.203
> , v ,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,,ECO,s[16]
> ="..).....l]......",,,,1
> 8593,,,0x80d3,0x0000,0xffff,0xffff
>
> looks like the V2 jitter is incorrect (probably a divide by 0):
>
> sloss 6.9767 0
> dloss 1.9231 0
> sjit nan 283.955196
>
> line: 184 fields in error: dloss,dir,sloss,sjit,
> 1151432453.179297,1151433425.553945,1,972.374648,972.374648,142.58.197
> .151,142.5
> 8.201.38,tcp,
> 139,1225,0,0,255,255,42358,81390,172,208,348.49,669.62,0.18,0.21,6.
> 9767,1.9231,3848370891,q*,0:40:10:16:a8:b6,0:11:88:5:5d:1d,?>,nan,
> 45788955.89735
> 2,CON,s[16]="....#.SMBq......",d[16]="...#.SMBq.......",
> 65358,64249,18588,,,0x82
> 00,0x8200,0xa776
> 1151432453.179297,1151433425.553945,1,972.374648,972.374634,142.58.197
> .151,142.5
> 8.201.38,tcp,
> 139,1225,0,0,255,255,42358,81390,172,208,348.491,669.618,0.177,0.21
> 4,0,0,229.97.122.203, v* ,0:40:10:16:a8:b6,0:11:88:5:5d:1d,<?>,
> 283.955196,4
> 5788955.39,CON,s[16]="....#.SMBq......",d[16]="...#.SMBq.......",
> 65358,64249,185
> 88,,,0x8200,0x8200,0xa776,0xa776
>
> its a little unhappy with an llc frame (although by and large
> correct):
>
> sport 0
> dport 0
> state CON INT
>
> line: 197 fields in error:
> state,dport,dtos,proto,sttl,dttl,sport,stos,
> 1151432453.124692,1151432453.124692,1,0.000000,0.000000,0:e0:63:82:59:
> b,ab:0:0:2
> :0:0,decr,,,0,0,0,0,80,0,1,0,0.00,0.00,inf,
> 0.00,0.0000,0.0000,3848370891,q,0:e0:
> 63:82:59:b,ab:0:0:2:0:0,->,,,CON,s[16]="<..............A",,,,
> 18575,,,0x0286,,
> 1151432453.124692,1151432453.124692,1,0.000000,0.000000,0:e0:63:82:59:
> b,ab:0:0:2
> :
> 0:0,33024,0,0,,,,,80,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203,
> v
> ,0:e0:63:82:59:b,ab:0:0:2:0:0,->,,,INT,s[16]="<..............A",,,,
> 18575,,,0x028
> 6,,,
>
> and rarp appears to have problems:
>
> %ra -Fra2.conf.full -r rarp2.argus
> StartTime,LastTime,Trans,Dur,AvgDur,SrcAddr,DstAddr,Type,Sport,Dport,S
> rcTOS,DstTOS,SrcTTL,DstTTL,SrcBytes,DstBytes,SrcPkt,DstPkt,Src_bps,Dst
> _bps,Src_pps,Dst_pps,Src_Loss,Dst_Loss,ProbeId,Flgs,SrcMacAddr,DstMacA
> ddr,Dir,SrcJitter,DstJitter,State,srcUdata,dstUdata,SrcWin,DstWin,Seq,
> sMPLS,dMPLS,sVLAN,dVLAN,IpId
> 1152722854.270658,1152722854.271563,,0.000905,0.000905,229.97.122.203,
> 1,man,v2.0,0,0,0,0,0,0,0,0,0,-0.00,-0.00,0.00,0.00,,3848370891,,,,,,,S
> TA,,,,,0,,,,,
> Segmentation fault (core dumped)
> %ra3 -Fra3.conf.full -r rarp2.argus
> StartTime,LastTime,Trans,Dur,AvgDur,SrcAddr,DstAddr,Proto,Sport,Dport,
> sTos,dTos,sTtl,dTtl,SrcBytes,DstBytes,SrcPkts,DstPkts,Src_bps,Dst_bps,
> Src_pps,Dst_pps,SrcLoss,DstLoss,SrcId,Flgs,SrcMac,DstMac,Dir,SrcJitter
> ,DstJitter,State,srcUdata,dstUdata,SrcWin,DstWin,Seq,sMpls,dMpls,sVlan
> ,dVlan,sIpId,dIpId
> 1151432432.069082,1151432432.069082,1,0.000000,0.000000,0.0.0.0,254.32
> .0.8,arp,,,,,,,68,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203,
> v ,8:0:20:fe:f1:47,ff:ff:ff:ff:ff:ff,who,,,REQ,,,,,1,,,0x0200,,,
> 1152722854.271563,1152722854.274918, ,0.003355,,0,4294967295,man,
> 0,67108930,,,,,4294967295,589823,1,0,0.000,0.000,0.000,0.000,,,0.0.0.0
> , ,,,,,,SHT,,,,,2,,,,,,
> %tcpdump -r rarp.tcp -n
> reading from file rarp.tcp, link-type EN10MB (Ethernet)
> 11:20:32.069082 rarp who-is 08:00:20:fe:f1:47 tell 08:00:20:fe:f1:47
> %
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
>
> *** common/argus_util.c.orig Wed Jul 12 08:35:52 2006
> --- common/argus_util.c Wed Jul 12 08:41:51 2006
> ***************
> *** 6241,6247 ****
> switch (flow->ip_flow.ip_p) {
> case IPPROTO_TCP: {
> int win = tcp->src.win << tcp->src.winshift;
> ! sprintf (winbuf, "%d", win);
> break;
> }
> default:
> --- 6241,6247 ----
> switch (flow->ip_flow.ip_p) {
> case IPPROTO_TCP: {
> int win = tcp->src.win << tcp->src.winshift;
> ! sprintf (winbuf, "%u", win);
> break;
> }
> default:
> ***************
> *** 6253,6259 ****
> switch (flow->ipv6_flow.ip_p) {
> case IPPROTO_TCP: {
> int win = tcp->src.win << tcp->src.winshift;
> ! sprintf (winbuf, "%d", win);
> break;
> }
> default:
> --- 6253,6259 ----
> switch (flow->ipv6_flow.ip_p) {
> case IPPROTO_TCP: {
> int win = tcp->src.win << tcp->src.winshift;
> ! sprintf (winbuf, "%u", win);
> break;
> }
> default:
> ***************
> *** 6303,6309 ****
> switch (flow->ip_flow.ip_p) {
> case IPPROTO_TCP: {
> int win = tcp->dst.win << tcp->src.winshift;
> ! sprintf (winbuf, "%d", win);
> break;
> }
> default:
> --- 6303,6309 ----
> switch (flow->ip_flow.ip_p) {
> case IPPROTO_TCP: {
> int win = tcp->dst.win << tcp->src.winshift;
> ! sprintf (winbuf, "%u", win);
> break;
> }
> default:
> ***************
> *** 6315,6321 ****
> switch (flow->ipv6_flow.ip_p) {
> case IPPROTO_TCP: {
> int win = tcp->dst.win << tcp->src.winshift;
> ! sprintf (winbuf, "%d", win);
> break;
> }
> default:
> --- 6315,6321 ----
> switch (flow->ipv6_flow.ip_p) {
> case IPPROTO_TCP: {
> int win = tcp->dst.win << tcp->src.winshift;
> ! sprintf (winbuf, "%u", win);
> break;
> }
> default:
> ***************
> *** 12797,12802 ****
> --- 12797,12803 ----
> tcp->src.status = 0; tcp-
> >src.seq = 0;
> tcp->src.ack = 0; tcp-
> >src.winnum = 0;
> tcp->src.winbytes = 0; tcp-
> >src.state = 0;
> + tcp->src.winshift = 0;
> tcp->dst.seqbase = nv2tcp-
> >dst.seqbase;
> tcp->dst.ackbytes = nv2tcp-
> >dst.ackbytes;
> tcp->dst.bytes = nv2tcp-
> >dst.bytes;
> ***************
> *** 12806,12811 ****
> --- 12807,12813 ----
> tcp->dst.status = 0; tcp-
> >dst.seq = 0;
> tcp->dst.ack = 0; tcp-
> >dst.winnum = 0;
> tcp->dst.winbytes = 0; tcp-
> >dst.state = 0;
> + tcp->dst.winshift = 0;
>
> dsr += net->hdr.argus_dsrvl8.len;
> argus->hdr.len += net->hdr.argus_dsrvl8.len;
> <rarp.tcp>
Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060712/8078e3d8/attachment.html>
More information about the argus
mailing list