argus-clients-3.0.0.rc.20
Peter Van Epp
vanepp at sfu.ca
Mon Jul 31 20:28:02 EDT 2006
On Mon, Jul 31, 2006 at 07:16:49PM -0400, Carter Bullard wrote:
> Hey Peter,
> OK, some of these suggested patches are not really applicable, so pardon
> if I did not apply them all. The ArgusConvertRecord bzero() does not
> seem
> appropriate, and its expensive, so I didn't do that, but I did put in
> a bzero()
> in ArgusGenerateRecordStruct(), which seems be more directed at
> your hunch that there may be data values lingering from record to
> record.
>
> I fixed the little endian problems with ip_id and printing out the
> values
> after 2.x -> 3.0 conversion.
>
> These changes should be up late tonight.
>
> Carter
>
OK, but the lack of a clear does seem to be the problem there:
(gdb) l ArgusConvertRecord
12904 unsigned char *ArgusConvertRecord (struct ArgusInput *, char *);
12905
12906
12907 unsigned char *
12908 ArgusConvertRecord (struct ArgusInput *input, char *ptr)
12909 {
12910 if (input->ArgusConvBuffer == NULL)
12911 if ((input->ArgusConvBuffer = (u_char *)ArgusCalloc (1, MAXARGUSRECORD)) == NULL)
12912 ArgusLog (LOG_ERR, "ArgusCalloc error %s", strerror(errno));
12913
(gdb) b 12910
Breakpoint 1 at 0x8077bee: file ./argus_util.c, line 12910.
(gdb) r -Fra3.conf.full -rbadtcp2.argus
Starting program: /usr/local/bin/ra3 -Fra3.conf.full -rbadtcp2.argus
warning: Unable to get location for thread creation breakpoint: generic error
[New LWP 100085]
[New Thread 0x81c7000 (LWP 100085)]
[Switching to Thread 0x81c7000 (LWP 100085)]
(the first time it calls calloc and all is well)
Breakpoint 1, ArgusConvertRecord (input=0x8212000, ptr=0xbfbfeb30 "\200\001")
at ./argus_util.c:12910
12910 if (input->ArgusConvBuffer == NULL)
(gdb) s
12911 if ((input->ArgusConvBuffer = (u_char *)ArgusCalloc (1, MAXARGUSRECORD)) == NULL)
(gdb)
(the second time its still happy because the first was a man record)
(gdb) c
Continuing.
Breakpoint 1, ArgusConvertRecord (input=0x8212000,
ptr=0x8224000 "\001\004\001 ") at ./argus_util.c:12910
12910 if (input->ArgusConvBuffer == NULL)
(gdb) s
12914 switch (input->mode) {
(gdb) print *input->ArgusConvBuffer
$4 = 0 '\0'
(gdb) x/40xb input->ArgusConvBuffer
0x8214000: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x8214008: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x8214010: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x8214018: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x8214020: 0x00 0x00 0x00 0x00 0x
(but by the third time we still have the last record in the buffer and
any values we don't over write will be from the previous record such as the
dest packets count (which this packet doesn't have so we don't re write) which
will cause invalid fields to be printed.)
(gdb) c
Continuing.
StartTime,LastTime,Trans,Dur,AvgDur,SrcAddr,DstAddr,Proto,Sport,Dport,sTos,dTos,sTtl,dTtl,SrcBytes,DstBytes,SAppBytes,DAppBytes,SrcPkts,DstPkts,Src_bps,Dst_bps,Src_pps,Dst_pps,SrcLoss,DstLoss,SrcId,Flgs,SrcMac,DstMac,Dir,SrcJitter,DstJitter,State,srcUdata,dstUdata,SrcWin,DstWin,Seq,sMpls,dMpls,sVlan,dVlan,sIpId,dIpId
1151432428.834986,1151433529.662031,1,1100.827045,1100.827026,142.58.250.27,142.58.249.237,udp,2049,800,0,0,64,64,4521068,3178714,2499724,2259220,20760,19989,32855.793,23100.553,18.859,18.158,0,0,229.97.122.203, v ,0:2:b3:d8:98:6e,0:11:88:5:5d:1d,<->,,,CON,s[16]="fx..............",d[16]="gx..............",,,14,,,0x8200,0x8200,0x0000,0x0000
Breakpoint 1, ArgusConvertRecord (input=0x8212000,
ptr=0x8224120 "\001\004\001\204") at ./argus_util.c:12910
12910 if (input->ArgusConvBuffer == NULL)
(gdb) print input->ArgusConvBuffer
$10 = (unsigned char *) 0x8214000 "\024 U"
(gdb) x/400xb input->ArgusConvBuffer
0x8214000: 0x14 0x20 0x55 0x00 0x01 0x02 0x01 0x03
0x8214008: 0xcb 0x7a 0x61 0xe5 0x0e 0x00 0x00 0x00
0x8214010: 0x02 0x01 0x01 0x05 0x1b 0xfa 0x3a 0x8e
0x8214018: 0xed 0xf9 0x3a 0x8e 0x11 0x00 0x01 0x08
0x8214020: 0x20 0x03 0x00 0x00 0x03 0x02 0x18 0x05
0x8214028: 0xec 0x76 0xa1 0x44 0xaa 0xbd 0x0c 0x00
0x8214030: 0x39 0x7b 0xa1 0x44 0x0f 0x1a 0x0a 0x00
0x8214038: 0x10 0x04 0x04 0x0d 0x18 0x51 0x00 0x00
0x8214040: 0x00 0x00 0x00 0x00 0x6c 0xfc 0x44 0x00
0x8214048: 0x00 0x00 0x00 0x00 0x8c 0x24 0x26 0x00
0x8214050: 0x00 0x00 0x00 0x00 0x15 0x4e 0x00 0x00
0x8214058: 0x00 0x00 0x00 0x00 0xda 0x80 0x30 0x00
0x8214060: 0x00 0x00 0x00 0x00 0x14 0x79 0x22 0x00
0x8214068: 0x00 0x00 0x00 0x00 0x48 0x00 0x0f 0x05
0x8214070: 0x40 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x8214078: 0x40 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x8214080: 0x42 0x00 0x00 0x05 0x00 0x11 0x88 0x05
0x8214088: 0x5d 0x1d 0x00 0x02 0xb3 0xd8 0x98 0x6e
0x8214090: 0x81 0x00 0x00 0x00 0x40 0x00 0x03 0x02
0x8214098: 0x00 0x82 0x00 0x82 0x50 0x90 0x17 0x00
0x82140a0: 0x54 0x00 0x54 0x00 0x66 0x78 0xd2 0x9d
0x82140a8: 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00
0x82140b0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
I'll attach the two test files: badtcp.argus has only the one record
in it and does correctly on either version badtcp2.argus has the record before
it and will print incorrectly on ra3 (compared to badtcp.argus) because the
dest values from the previous record are still there and not removed.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
-------------- next part --------------
A non-text attachment was scrubbed...
Name: badtcp.argus
Type: application/octet-stream
Size: 904 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060731/e8e5b4ad/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: badtcp2.argus
Type: application/octet-stream
Size: 1480 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060731/e8e5b4ad/attachment-0001.obj>
More information about the argus
mailing list