argus-clients-3.0.0.rc.20
Carter Bullard
carter at qosient.com
Mon Jul 31 14:39:25 EDT 2006
Hey Peter,
So argus-3.0 is going to deal with ipv6 completely different from
argus-2.x so we have an interesting issue. Argus-2.0 reports ipv6
as a L2 flow, with a next protocol header of ipv6. Argus-3.0 will
report ipv6 as a L3 flow, at a minimum, so if you mix and match,
for converted records you will see proto ipv6, but see ethernet
addresses in the flow identifier, and that will be slightly confusing.
In your case, because you have VLAN tags, the next hop protocol
in the ethernet flow is 129, which is CLNS. My version of argus-3.0
clients, prints 'clns', yours prints 'well', which is incorrect.
Currently the
argus 2.x -> 3.0 converter wants to use the ether headers next
hop protocol as the flow identifier protocol, rather than the 802.1P/Q
(VLAN tag) next hop id. So, what to do? I'm not sure.
I would like to do what argus-3.0 is doing now, which is downgrade
the flow to CLNS, and because we have no ipv6 identifiers, just
toss any info related to that encapsulation. Probably not a great
idea.
Need some opinions here. So if anyone has a comment, chime in.
I'll try to get argus-3.0 to conform to 2.x when the syn/synack
status
is unknown '.?.'
I have the code to deal with the 'TIM' vs 'CON' flags, but it
doesn't seem
to be working? ....... so if you have a record that is incorrect,
send the
argus record so I can debug.
I need an IGMP record to see what's up with the ipid.
Carter
On Jul 19, 2006, at 11:28 PM, Peter Van Epp wrote:
> OK, time to admit defeat :-). The llc protocol conversion still isn't
> correct and I believe I know why, but fixing it eludes me :-). The
> port number
> fields are also different and I don't know about them yet. On the
> bright side,
> application bytes appears to work fine (I butchered 2.0.6 to print
> both for
> comparison) and most other things other than direction and loss are
> now pretty
> good (igmp looks to have issues though). I still need to figure out
> how to
> make the 2.0.6 ra not seg fault on rarp packets (which tends to
> stop accurate
> comparison :-)) and figure out what to do with loss. This now has
> src dst
> asrc adst byte counts: (91109284,4268909325,4536920,4094057421
> here) and
> supresses blanks in the user data fields (a 2.0.6 bug) to keep the
> noise down.
>
> line: 1 fields in error: dir,
> 1151432430.047560,1151432970.049026,1,540.001466,540.001466,142.58.202
> .108,142.5
> 8.206.16,tcp,
> 1434,524,0,0,127,127,91109284,4268909325,4536920,4094057421,1492622
> ,
> 3014688,1349763.51,63242929.42,2764.11,5582.74,0.0000,0.0007,384837089
> 1,qd,0:11
> :88:5:5d:1d,0:f:1f:f8:c4:c1,?>,1293.000000,3760.870198,CON,s[16]
> ="DmdT...$......
> 0.",d[16]="tNcP..0.33pp....",17520,23360,7236,,,0x80ce,0x80ca,0x1921
> 1151432430.047560,1151432970.049026,1,540.001466,540.001465,142.58.202
> .108,142.5
> 8.206.16,tcp,
> 1434,524,0,0,127,127,91109284,4268909325,4536920,4094057421,1492622
> ,
> 3014688,1349763.500,63242928.000,2764.107,5582.740,0,0,229.97.122.203,
> vd
> ,0:11:88:5:5d:1d,0:f:1f:f8:c4:c1,<?>,1293.000000,3760.85,CON,s[16]
> ="DmdT...$....
> ..0.",d[16]="tNcP..0.33pp....",17520,23360,7236,,,0x80ce,0x80ca,
> 0x1921,0x1921
>
> line: 2 fields in error: dir,
> 1151432428.834980,1151432968.849102,1,540.014122,540.014122,142.58.206
> .16,142.58
> .202.108,tcp,
> 524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
> ,
> 1493083,63258140.20,1350202.38,5584.49,2764.90,0.0007,0.0000,384837089
> 1,qs,0:f:
> 1f:f8:c4:c1,0:11:88:5:5d:1d,?>,1278.000000,3716.553425,CON,s[16]
> =".Y....&!..:KLJ
> j(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9
> 1151432428.834980,1151432968.849102,1,540.014122,540.014099,142.58.206
> .16,142.58
> .202.108,tcp,
> 524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
> ,
> 1493083,63258144.000,1350202.375,5584.489,2764.896,0,0,229.97.122.203,
> vs
> ,0:f:1f:f8:c4:c1,0:11:88:5:5d:1d,<?>,1278.000000,3716.47,CON,s[16]
> =".Y....&!..:K
> LJj(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,
> 0xfee9,0xfee9
>
> state TIM CON
>
> line: 6 fields in error: state,dir,
> 1151432494.224639,1151433420.252853,1,926.028214,926.028214,142.58.160
> .80,142.55
> .229.29,tcp,
> 26635,1069,0,0,128,0,2448,0,882,0,27,0,21.15,0.00,0.03,0.00,0.0000,0
> .0000,3848370891,q,0:12:3f:98:40:82,0:11:88:5:5d:1d,<?>,,,TIM,s[4]
> =":/A.",,64535
> ,0,18875,,,0x8200,,0x1d64
> 1151432494.224639,1151433420.252853,1,926.028214,926.028198,142.58.160
> .80,142.55
> .229.29,tcp,
> 26635,1069,0,0,128,0,2448,0,882,0,27,0,21.148,0.000,0.029,0.000,0,0,
> 229.97.122.203, v ,0:12:3f:98:40:82,0:11:88:5:5d:1d,?>,,,CON,s
> [4]=":/A.",,
> 64535,0,18875,,,0x8200,,0x1d64,0x4de7
>
> dloss 66.6667 0
> state TIM ACC
>
> line: 13 fields in error: state,dloss,dir,
> 1151432499.171267,1151432508.137393,1,8.966126,8.966126,142.58.215.98,
> 142.58.103
> .20,tcp,
> 4401,139,0,0,255,255,66,198,0,0,1,3,58.89,176.66,0.11,0.33,0.0000,66.6
> 66
> 7,3848370891,qd,0:11:43:c1:b3:3f,0:11:88:5:5d:1d,<->,,,TIM,,,
> 0,17316,18866,,,0x0
> 0d7,0x00d7,0x0000
> 1151432499.171267,1151432508.137393,1,8.966126,8.966126,142.58.215.98,
> 142.58.103
> .20,tcp,
> 4401,139,0,0,255,255,66,198,0,0,1,3,58.888,176.665,0.112,0.335,0,0,229
> .9
> 7.122.203, vd ,0:11:43:c1:b3:3f,0:11:88:5:5d:1d,->,,,ACC,,,
> 0,17316,18866,,,
> 0x00d7,0x00d7,0x0000,0x0000
>
> dloss 100.0000 0
>
> line: 14 fields in error: dloss,
> 1151432499.169776,1151433399.232974,1,900.063198,900.063198,142.58.215
> .98,142.58
> .103.20,icmp,,,
> 0,0,255,0,514,0,248,0,7,0,4.57,0.00,0.01,0.00,0.0000,100.0000,384
> 8370891,q,0:11:43:c1:b3:3f,0:11:88:5:5d:1d,->,,,ECO,s[16]
> ="...S....ABCDEFGH",,,,
> 18864,,,0x80d7,,0xffff
> 1151432499.169776,1151433399.232974,1,900.063198,900.063171,142.58.215
> .98,142.58
> .103.20,icmp,,,
> 0,0,255,0,514,0,248,0,7,0,4.569,0.000,0.008,0.000,0,0,229.97.122.
> 203, v ,0:11:43:c1:b3:3f,0:11:88:5:5d:1d,->,,,ECO,s[16]
> ="...S....ABCDEFGH"
> ,,,,18864,,,0x80d7,,0xffff,0x0000
>
> ...
>
> (this one incidentally looks legit, its a VMS host doing decnet
> although as we see the protocol translation is incorrect in V3).
>
> sport 0 *
> dport 0 *
> srate 213333333.33 213333328.000
> state CON INT
>
> line: 198 fields in error: srate,state,dport,proto,sport,
> 1151432453.124682,1151432453.124688,1,0.000006,0.000006,0:e0:63:8d:
> 49:e9,ab:0:0:
> 2:0:0,decr,
> 0,0,,,,,160,0,124,0,2,0,213333333.33,0.00,333333.33,0.00,0.0000,0.000
> 0,3848370891,q,0:e0:63:8d:49:e9,ab:0:0:2:0:0,->,,,CON,s[16]
> ="<..............A",,
> ,,18574,,,0x0286,,
> 1151432453.124682,1151432453.124688,1,0.000006,0.000006,0:e0:63:8d:
> 49:e9,ab:0:0:
> 2:0:0,well,*,*,,,,,
> 160,0,124,0,2,0,213333328.000,0.000,333333.312,0.000,0,0,229.
> 97.122.203, v ,0:e0:63:8d:49:e9,ab:0:0:2:0:0,->,,,INT,s[16]
> ="<............
> ..A",,,,18574,,,0x0286,,,
>
> ...
>
> (more on this one below, but IPV6 is being misclassified in V3)
>
> sport 0 *
> dport 0 *
>
> line: 305 fields in error: dport,proto,sport,
> 1151432920.927378,1151432926.690711,1,5.763333,5.763333,0:d:
> 93:59:17:0,33:33:ff:
> 59:17:0,ipv6,0,0,,,,,344,0,272,0,4,0,477.50,0.00,0.69,0.00,0.0000,0.00
> 00,3848370
> 891,q,0:d:93:59:17:0,33:33:ff:59:17:0,->,,,INT,s[16]
> ="`..............",,,,196643
> ,,,0x0214,,
> 1151432920.927378,1151432926.690711,1,5.763333,5.763333,0:d:
> 93:59:17:0,33:33:ff:
> 59:17:0,well,*,*,,,,,
> 344,0,272,0,4,0,477.501,0.000,0.694,0.000,0,0,229.97.122.20
> 3, v ,0:d:93:59:17:0,33:33:ff:59:17:0,->,,,INT,s[16]
> ="`.... ..........",,,
> ,196643,,,0x0214,,,
>
> ...
>
> and more than 12,000 records down before our first igmp problem :-)
> so we are getting much closer! Ports are probably a 2.0.6 bug, but
> the IPID
> in V3 looks incorrect too.
>
> sport 22
> dport 0
> state CON INT
>
> line: 12585 fields in error: state,dport,sipid,sport,
> 1151432468.712006,1151433486.183373,1,1017.471367,1017.471367,142.58.6
> 5.202,224.
> 0.0.9,igmp,
> 22,0,0,0,1,0,1100,0,176,0,22,0,8.65,0.00,0.02,0.00,0.0000,0.0000,3848
> 370891,q,0:60:1d:f1:42:a,1:0:5e:0:0:9,->,,,CON,s[16]
> ="................",,,,24284
> ,,,0x0286,,0x5266
> 1151432468.712006,1151433486.183373,1,1017.471367,1017.471375,142.58.6
> 5.202,224.
> 0.0.9,igmp,,,
> 0,0,1,0,1100,0,176,0,22,0,8.649,0.000,0.022,0.000,0,0,229.97.122.20
> 3, v ,0:60:1d:f1:42:a,1:0:5e:0:0:9,->,,,INT,s[16]
> ="................",,,,24
> 284,,,0x0286,,0x6652,0x9ae0
>
> Now for the protocol translation problem (I'll attach v6.argus
> because
> its harmless Mac router solicitations):
>
> ./ra_test.pl v6.argus
> sport 0 *
> dport 0 *
>
> line: 1 fields in error: dport,proto,sport,
> 1151432430.851467,1151432483.530842,1,52.679375,52.679375,0:11:24:a6:a
> :8e,
> 33:33:0:0:0:2,ipv6,0,0,,,,,296,0,224,0,4,0,44.95,0.00,0.08,0.00,0.0000
> ,0.0000,3848370891,q,0:11:24:a6:a:8e,33:33:0:0:0:2,->,,,INT,,,,,
> 1,,,0x0286,,
> 1151432430.851467,1151432483.530842,1,52.679375,52.679375,0:11:24:a6:a
> :8e,33:33:0:0:0:2,well,*,*,,,,,
> 296,0,224,0,4,0,44.951,0.000,0.076,0.000,0,0,229.97.122.203,
> v ,0:11:24:a6:a:8e,33:33:0:0:0:2,->,,,INT,,,,,1,,,0x0286,,,
>
> sport 0 *
> dport 0 *
>
> line: 2 fields in error: dport,proto,sport,
> 1151432430.363967,1151432480.138400,1,49.774433,49.774433,0:d:
> 93:45:95:de,
> 33:33:0:0:0:2,ipv6,0,0,,,,,740,0,560,0,10,0,118.94,0.00,0.20,0.00,0.00
> 00,0.0000,3848370891,q,0:d:93:45:95:de,33:33:0:0:0:2,->,,,INT,,,,,
> 2,,,0x0214,,
> 1151432430.363967,1151432480.138400,1,49.774433,49.774433,0:d:
> 93:45:95:de,33:33:0:0:0:2,well,*,*,,,,,
> 740,0,560,0,10,0,118.937,0.000,0.201,0.000,0,0,229.97.122.203,
> v ,0:d:93:45:95:de,33:33:0:0:0:2,->,,,INT,,,,,2,,,0x0214,,,
>
>
>
>
>
> The problem looks to be here in argus_util.c:
>
> ***************
> *** 13296,13302 ****
>
> bcopy ((char *)&mac2-
> >phys_union.ether.ethersrc,(char *)&mac-
> >mac_union.ether.ehdr.ether_shost, 6);
> bcopy ((char *)&mac2-
> >phys_union.ether.etherdst,(char *)&mac-
> >mac_union.ether.ehdr.ether_dhost, 6);
> ! mac->mac_union.ether.ehdr.ether_type =
> ntohs(mac2->status & 0xFFFF);
>
> dsr += mac->hdr.argus_dsrvl8.len;
> argus->hdr.len += mac->hdr.argus_dsrvl8.len;
> --- 13296,13302 ----
>
> bcopy ((char *)&mac2-
> >phys_union.ether.ethersrc,(char *)&mac-
> >mac_union.ether.ehdr.ether_shost, 6);
> bcopy ((char *)&mac2-
> >phys_union.ether.etherdst,(char *)&mac-
> >mac_union.ether.ehdr.ether_dhost, 6);
> ! mac->mac_union.ether.ehdr.ether_type =
> argus2->ahdr.status & 0xFFFF;
>
> i.e. argus2->ahdr.status & 0xFFFF contains the correct ethertype
> in the
> case of (for instance) IPV6 of 34525, but by the time we make
> ArgusPrintProto
> while it is correct in one header it is still the incorrect 33024
> in the
> header we are going to print from (and I don't know if the change
> above would
> break something else):
>
> Breakpoint 2, ArgusPrintProto (parser=0x81ce000, buf=0x80aba3c "",
> argus=0x81ce0d0) at ./argus_util.c:2488
> 2488 bzero (protoStrBuf, 16);
> (gdb) s
> 2490 if (argus->hdr.type & ARGUS_MAR) {
> (gdb)
> 2495 if (((flow = &argus->canon.flow) != NULL)) {
> (gdb)
> 2496 switch (flow->hdr.subtype & 0x3F) {
> (gdb)
> 2498 struct ArgusNetworkStruct *net = (struct
> ArgusNetworkStruct *)argus->dsrs[ARGUS_NETWORK_INDEX];
> (gdb)
> 2500 if (net && (net->hdr.subtype ==
> ARGUS_RTP_FLOW))
> (gdb)
> 2503 if (net && (net->hdr.subtype ==
> ARGUS_RTCP_FLOW))
> (gdb)
> 2506 switch ((flow->hdr.argus_dsrvl8.qual &
> 0x7F)) {
> (gdb)
> 2539 eproto = flow-
> >mac_flow.ehdr.ether_type;
> (gdb)
> 2540 protoStr = protoStrBuf;
> (gdb) print eproto
> $2 = 33024
> (gdb) print *argus
> $3 = {qhdr = {nxt = 0x0, prv = 0x0, queue = 0x0, lasttime = {tv_sec
> = 0,
> tv_usec = 0}, logtime = {tv_sec = 0, tv_usec = 0}}, status = 0,
> dsrindex = 8287, trans = 0, timeout = 0, idle = 0, bins = 0x0,
> htblhdr = 0x0, nsq = 0x0, hdr = {type = 20 '\024', cause = 32 ' ',
> len = 34}, dsrs = {0x81ce188, 0x81ce15c, 0x81ce194, 0x81ce1cc,
> 0x81ce278,
> 0x0, 0x81ce340, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x81ce32c, 0x0,
> 0x0, 0x0,
> 0x0}, canon = {hdr = {type = 20 '\024', cause = 32 ' ', len =
> 34}, flow = {
> hdr = {type = 2 '\002', subtype = 1 '\001', dsr_un = {fl = {
> data = 1283}, vl8 = {qual = 3 '\003', len = 5 '\005'},
> vl16 = {
> len = 1283}}}, flow_un = {ipv6 = {ip_src = {13107,
> 285213184,
> 2383062564, 33024}, ip_dst = {0, 0, 0, 0}, flow = 0,
> blank = 0,
> ip_p = 0, sport = 0, dport = 0}, ip = {ip_src = 13107,
> ip_dst = 285213184, ip_p = 36 '$', tp_p = 166 '&', sport
> = 36362,
> dport = 33024, pad = 0}, mac = {ehdr = {
> ether_dhost = "33\000\000\000\002",
> ether_shost = "\000\021$&\n\216", ether_type = 33024},
> dsap = 0 '\0', ssap = 0 '\0'}, icmpv6 = {ip_src = {13107,
> 285213184,
> 2383062564, 33024}, ip_dst = {0, 0, 0, 0}, flow = 0,
> blank = 0,
> ip_p = 0, type = 0 '\0', code = 0 '\0', id = 0}, icmp = {
> ip_src = 13107, ip_dst = 285213184, ip_p = 36 '$', tp_p =
> 166 '&',
> type = 10 '\n', code = 142 '\216', id = 33024, ip_id =
> 0}, igmpv6 = {
> ip_src = {13107, 285213184, 2383062564, 33024}, ip_dst =
> {0, 0, 0,
> 0}, flow = 0, blank = 0, ip_p = 0, type = 0 '\0', code
> = 0 '\0',
> pad = 0}, igmp = {ip_src = 13107, ip_dst = 285213184,
> ip_p = 36 '$',
> tp_p = 166 '&', type = 10 '\n', code = 142 '\216', pad =
> 33024,
> ip_id = 0}, espv6 = {ip_src = {13107, 285213184,
> 2383062564, 33024},
> ip_dst = {0, 0, 0, 0}, flow = 0, blank = 0, ip_p = 0, spi
> = 0},
> esp = {ip_src = 13107, ip_dst = 285213184, ip_p = 36 '$',
> tp_p = 166 '&', pad = 36362, spi = 33024}, arp = {arp_spa
> = 13107,
> arp_tpa = 285213184, etheraddr = "$&\n\216\000\201", pad
> = 0},
> rarp = {arp_tpa = 13107, srceaddr = "\000\002\000\021$&",
> tareaddr = "\n\216\000\201\000"}, frag = {ip_src = 13107,
> ip_dst = 285213184, ip_p = 36 '$', tp_p = 166 '&', pad =
> {36362,
> 33024}, ip_id = 0}}}, trans = {hdr = {type = 1 '\001',
> subtype = 2 '\002', dsr_un = {fl = {data = 769}, vl8 = {
> qual = 1 '\001', len = 3 '\003'}, vl16 = {len = 769}}},
> srcid = {
> value = 3848370891}, seqnum = 1}, time = {hdr = {type = 3
> '\003',
> subtype = 2 '\002', dsr_un = {fl = {data = 1304}, vl8 = {
> qual = 24 '\030', len = 5 '\005'}, vl16 = {len =
> 1304}}}, src = {
> start = {tv_sec = 1151432430, tv_usec = 851467}, end = {
> tv_sec = 1151432483, tv_usec = 530842}}, dst = {start =
> {tv_sec = 0,
> tv_usec = 0}, end = {tv_sec = 0, tv_usec = 0}}}, attr =
> {hdr = {
> type = 0 '\0', subtype = 0 '\0', dsr_un = {fl = {data = 0},
> vl8 = {
> qual = 0 '\0', len = 0 '\0'}, vl16 = {len = 0}}}, src = {
> ttl = 0 '\0', tos = 0 '\0', ip_id = 0, options = 0}, dst = {
> ttl = 0 '\0', tos = 0 '\0', ip_id = 0, options = 0}},
> metric = {hdr = {
> type = 16 '\020', subtype = 4 '\004', dsr_un = {fl = {data
> = 3332},
> vl8 = {qual = 4 '\004', len = 13 '\r'}, vl16 = {len =
> 3332}}},
> src = {pkts = 4, bytes = 296, appbytes = 224}, dst = {pkts = 0,
> bytes = 0, appbytes = 0}}, net = {hdr = {type = 0 '\0',
> subtype = 0 '\0', dsr_un = {fl = {data = 0}, vl8 = {qual =
> 0 '\0',
> len = 0 '\0'}, vl16 = {len = 0}}}, net_union = {tcp =
> {status = 0,
> state = 0, options = 0, synAckuSecs = 0, ackDatauSecs =
> 0, src = {
> lasttime = {tv_sec = 0, tv_usec = 0}, status = 0,
> seqbase = 0,
> seq = 0, ack = 0, winnum = 0, bytes = 0, retrans = 0,
> ackbytes = 0, state = 0, win = 0, winbytes = 0, flags =
> 0 '\0',
> winshift = 0 '\0'}, dst = {lasttime = {tv_sec = 0,
> tv_usec = 0},
> status = 0, seqbase = 0, seq = 0, ack = 0, winnum = 0,
> bytes = 0,
> retrans = 0, ackbytes = 0, state = 0, win = 0, winbytes
> = 0,
> flags = 0 '\0', winshift = 0 '\0'}}, icmp = {icmp_type
> = 0 '\0',
> icmp_code = 0 '\0', iseq = 0, osrcaddr = 0, odstaddr = 0,
> isrcaddr = 0, idstaddr = 0, igwaddr = 0}, icmpv6 = {
> icmp_type = 0 '\0', icmp_code = 0 '\0', cksum = 0}, rtp = {
> state = 0, src = {rh_cc = 0 '\0', rh_x = 0 '\0', rh_p = 0
> '\0',
> rh_ver = 0 '\0', rh_pt = 0 '\0', rh_mark = 0 '\0',
> rh_seq = 0,
> rh_time = 0, rh_ssrc = 0}, dst = {rh_cc = 0 '\0', rh_x
> = 0 '\0',
> rh_p = 0 '\0', rh_ver = 0 '\0', rh_pt = 0 '\0', rh_mark
> = 0 '\0',
> rh_seq = 0, rh_time = 0, rh_ssrc = 0}, sdrop = 0, ddrop
> = 0,
> ssdev = 0, dsdev = 0}, rtcp = {src = {rh_rc = 0 '\0',
> rh_p = 0 '\0',
> rh_ver = 0 '\0', rh_pt = 0 '\0', rh_len = 0, rh_ssrc =
> 0}, dst = {
> rh_rc = 0 '\0', rh_p = 0 '\0', rh_ver = 0 '\0', rh_pt =
> 0 '\0',
> rh_len = 0, rh_ssrc = 0}, src_pkt_drop = 0,
> dst_pkt_drop = 0},
> igmp = {igmp_type = 0 '\0', igmp_code = 0 '\0', igmp_group
> = 0,
> jdelay = {tv_sec = 0, tv_usec = 0}, ldelay = {tv_sec = 0,
> tv_usec = 0}}, dhcp = {respaddr = 0}, esp = {status =
> 0, spi = 0,
> lastseq = 0, lostseq = 0}, arp = {respaddr = "\000\000\000
> \000\000",
> pad = 0}, ah = {src_spi = 0, dst_spi = 0, src_replay = 0,
> dst_replay = 0}, frag = {fragnum = 0, frag_id = 0, totlen
> = 0,
> currlen = 0, maxfraglen = 0, pad = 0}}}, agr = {hdr = {
> type = 96 '`', subtype = 1 '\001', dsr_un = {fl = {data =
> 6145},
> vl8 = {qual = 1 '\001', len = 24 '\030'}, vl16 = {len =
> 6145}}},
> count = 1, laststartime = {tv_sec = 0, tv_usec = 0}, lasttime
> = {
> tv_sec = 0, tv_usec = 0}, act = {n = 1, minval =
> 52.679374694824219,
> meanval = 52.679374694824219, stdev = 0, maxval =
> 52.679374694824219},
> idle = {n = 0, minval = 0, meanval = 0, stdev = 0, maxval = 0}},
> jitter = {hdr = {type = 0 '\0', subtype = 0 '\0', dsr_un = {fl = {
> data = 0}, vl8 = {qual = 0 '\0', len = 0 '\0'}, vl16 = {
> len = 0}}}, act = {src = {n = 0, minval = 0, meanval = 0,
> stdev = 0, maxval = 0}, dst = {n = 0, minval = 0, meanval
> = 0,
> stdev = 0, maxval = 0}}, idle = {src = {n = 0, minval = 0,
> meanval = 0, stdev = 0, maxval = 0}, dst = {n = 0, minval
> = 0,
> meanval = 0, stdev = 0, maxval = 0}}}, mac = {hdr = {type
> = 66 'B',
> subtype = 0 '\0', dsr_un = {fl = {data = 1280}, vl8 = {qual
> = 0 '\0',
> len = 5 '\005'}, vl16 = {len = 1280}}}, mac_union =
> {ether = {
> ehdr = {ether_dhost = "33\000\000\000\002",
> ether_shost = "\000\021$&\n\216", ether_type = 34525},
> dsap = 0 '\0', ssap = 0 '\0'}}}, vlan = {hdr = {type = 64
> '@',
> subtype = 0 '\0', dsr_un = {fl = {data = 513}, vl8 = {qual
> = 1 '\001',
> len = 2 '\002'}, vl16 = {len = 513}}}, sid = 646, did =
> 0},
> mpls = {hdr = {type = 0 '\0', subtype = 0 '\0', dsr_un = {fl =
> {data = 0},
> vl8 = {qual = 0 '\0', len = 0 '\0'}, vl16 = {len = 0}}},
> slabel = 0,
> dlabel = 0}, icmp = {hdr = {type = 0 '\0', subtype = 0 '\0',
> dsr_un = {
> fl = {data = 0}, vl8 = {qual = 0 '\0', len = 0 '\0'},
> vl16 = {
> len = 0}}}, icmp_type = 0 '\0', icmp_code = 0 '\0',
> iseq = 0,
> osrcaddr = 0, odstaddr = 0, isrcaddr = 0, idstaddr = 0,
> igwaddr = 0},
> svc = {hdr = {type = 0 '\0', subtype = 0 '\0', dsr_un = {fl =
> {data = 0},
> vl8 = {qual = 0 '\0', len = 0 '\0'}, vl16 = {len = 0}}},
> name = '\0' <repeats 15 times>}, data = {hdr = {type = 0 '\0',
> subtype = 0 '\0', dsr_un = {fl = {data = 0}, vl8 = {qual =
> 0 '\0',
> len = 0 '\0'}, vl16 = {len = 0}}}, size = 0, count = 0,
> array = "\000\000\000\000\000\000\000"}}, srate = 44.9511795,
> drate = 0,
> sload = 0.0759310424, dload = 0, dur = 52.6793747, avgdur = 0}
> (gdb)
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
> <v6.argus>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060731/feb73cfe/attachment.html>
More information about the argus
mailing list