Another fine mess you've gotten us in to ollie ...

Peter Van Epp vanepp at sfu.ca
Wed Jul 26 12:10:34 EDT 2006 

	Well, it is certainly instructive comparing the three output streams
from the same tcpdump file (correct however is another matter :-)):
	Starting with a small tcpdump file (attached) with a single tcp stream
(and incidentally the argus -m flag appears to be reversed, it has to be on
argus to get Mac addresses unlike 2.0.6 or the man page) run it through 
argus_bpf/argus, ragator/racluster, and rasort (of the appropriate version)
then feed the two output files to the perl script which now compares all 
three sets of output (2.0.6 ra with 2.0.6 input, 3.0 ra with 2.0.6 input and
3.0 ra with 3.0 input):

%argus_bpf -r udata1.tcp -U 16 -w udata1.2.argus
%argus -r udata1.tcp -U 16 -m -w udata1.3.argus
argus[11287]: 26 Jul 06 08:58:52.821264 started
argus: Time 0.005152 Flows 1         Closed 0         Sends 21        BSends 0        Updates 53       Cache 52      
udata1.tcp
    Total Pkts       53  Rate 10287.267081
%ragator -r udata1.2.argus -w rudata1.2.argus
%rasort -r rudata1.2.argus -w rsudata1.2.argus
%racluster -r udata1.3.argus -w rudata1.3.argus
%rasort3 -r rudata1.3.argus -w rsudata1.3.argus
%ls rsudata*
rsudata1.2.argus        rsudata1.3.argus
%./ra_test.pl rsudata1.2.argus        rsudata1.3.argus

line: 1 fields in error: trans,sabytes,seq,dabytes,dir,
1151432494.224639,1151433420.252853,1,926.028214,926.028214,142.58.160.80,142.55.229.29,tcp,26635,1069,0,0,128,114,2448,1664,882,156,27,26,21.15,14.38,0.03,0.03,0.0000,0.0000,3848370891,q,0:12:3f:98:40:82,0:11:88:5:5d:1d,?>,,,CON,s[4]=":/..",d[4]="K...",64535,65499,1,,,0x8200,0x0200,0x1d64
1151432494.224639,1151433420.252853,1,926.028214,926.028198,142.58.160.80,142.55.229.29,tcp,26635,1069,0,0,128,114,2448,1664,882,156,27,26,21.148,14.375,0.029,0.028,0,0,229.97.122.203, v       ,0:12:3f:98:40:82,0:11:88:5:5d:1d,<?>,,,CON,s[4]=":/..",d[4]="K...",64535,65499,1,,,0x8200,0x0200,0x1d64,0x1d64
1151432494.224639,1151433420.252853,20,926.028214,2.491225,142.58.160.80,142.55.229.29,tcp,26635,1069,0,0,128,114,2448,1664,28744,29509,27,26,21.148,14.375,0.029,0.028,0,0,0.0.0.0, v       ,0:12:3f:98:40:82,0:11:88:5:5d:1d,<?>,,,CON,s[4]=":/..",d[4]="K...",64535,65499,0,,,0x8200,0x0200,0xf299,0xdd18

	we look to have problems on app bytes (2.0.6 to 3.0) and ipid 2.0.6 to
3.0 in this example. 
	On a much longer file (the 7 gig tcp source file) there are a lot more
problems, not least of which is ragator and racluster appear to aggregate 
differently which makes for matching problems. I'll try and pick out a some 
small (and harmless) examples that I can post :-))

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list