argus-clients-3.0.0.rc.20

Carter Bullard carter at qosient.com
Mon Jul 31 15:47:32 EDT 2006


Well,
    Scrambled igmp ipid looks like a little endian problem (nibbles  
swapped), so
I'll look into that, and I'll fix the dst ipid printout.

Carter


On Jul 31, 2006, at 3:04 PM, Peter Van Epp wrote:

> On Mon, Jul 31, 2006 at 02:39:25PM -0400, Carter Bullard wrote:
>> Hey Peter,
>>    So argus-3.0 is going to deal with ipv6 completely different from
>> argus-2.x so we have an interesting issue.   Argus-2.0 reports ipv6
>> as a L2 flow, with a next protocol header of ipv6.   Argus-3.0 will
>> report ipv6 as a L3 flow, at a minimum, so if you mix and match,
>> for converted records you will see proto ipv6, but see ethernet
>> addresses in the flow identifier, and that will be slightly  
>> confusing.
>
> 	If thats all we've got and it is consistsnt with what 2.0.6 would
> output then I'd say thats good enough (people with real V6 may  
> disagree and
> should have the say though :-)).
>
>>
>>    In your case, because you have VLAN tags, the next hop protocol
>> in the ethernet flow is 129, which is CLNS.   My version of argus-3.0
>> clients, prints 'clns', yours prints 'well', which is incorrect.
>> Currently the
>> argus  2.x -> 3.0 converter wants to use the ether headers next
>> hop protocol as the flow identifier protocol, rather than the  
>> 802.1P/Q
>> (VLAN tag) next hop id.      So, what to do?   I'm not sure.
>
> 	The last patch I posted fixes at least some of this. V3 now reports
> the protocol as v6 rather than well (which was a bogus ip_id field  
> in many
> of the records which may or may not be important) and therefore  
> matches what
> 2.0.6 says on the same data which is I think the correct answer.
>
>>
>> I would like to do what argus-3.0 is doing now, which is downgrade
>> the flow to CLNS, and because we have no ipv6 identifiers, just
>> toss any info related to that encapsulation.   Probably not a great
>> idea.
>>
>>     Need some opinions here.  So if anyone has a comment, chime in.
>>
>>    I'll try to get argus-3.0 to conform to 2.x when the syn/synack
>> status
>> is unknown '.?.'
>>
>>    I have the code to deal with the 'TIM' vs 'CON' flags, but it
>> doesn't seem
>> to be working?  ....... so if you have a record that is incorrect,
>> send the
>> argus record so I can debug.
>>
>>    I need an IGMP record to see what's up with the ipid.
>>
>> Carter
>>
>
> 	I have a fix which fixes most of those that works most of the time
> It splits setting the source and dest indicators baased on whether  
> there are
> source or dest packets or not (they are currently both set at the  
> top of the
> routine without regard to whether there are packets or not). It  
> still gets
> screwed up under some conditions but I now think that is lack of  
> initialization
> because it seems to depend on packets coming before. In an isolated  
> stream
> the failing packets display correctly. I'm still (slowly) poking at  
> that.
> I think that is likely to fix the igmp issue too (it shouldn't have  
> a dest IP
> id because it doesn't have any dest packets) however a quick test  
> indicates
> thats still an issue too:
>
> 1151432429.128613,1151432860.570569,1,431.441956,431.441956,142.58.60. 
> 61,239.255.255.253,igmp, 
> 22,0,0,0,1,0,100,0,16,0,2,0,1.85,0.00,0.00,0.00,0.0000,0.0000,38483708 
> 91,q,0:11:24:97:47:52,1:0:5e:7f:ff:fd,->,,,CON,s[8]="........",,,, 
> 8857,,,0x0280,,0xd21c
> 1151432429.128613,1151432860.570569,1,431.441956,431.441956,142.58.60. 
> 61,239.255.255.253,igmp,,, 
> 0,255,1,255,100,0,16,0,2,0,1.854,0.000,0.005,0.000,0,0,229.97.122.203, 
>  v       ,0:11:24:97:47:52,1:0:5e:7f:ff:fd,->,,,INT,s[8] 
> ="........",,,,8857,,,0x0280,,0x1cd2,0x0000
>
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>

Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060731/d61e1865/attachment.html>


More information about the argus mailing list