argus-clients-3.0.0.rc.10 on the server

Peter Van Epp vanepp at sfu.ca
Thu Jun 22 18:54:49 EDT 2006 

On Thu, Jun 22, 2006 at 05:36:17PM -0400, Carter Bullard wrote:
> Hey Peter,
> I got these into clients-3.0.0.rc.11 which is up on the server now.
> I modified your text a bit, but its all there.
> Carter
> 
> On Jun 22, 2006, at 4:41 PM, Peter Van Epp wrote:
> 

	Looks good so far (I haven't added in the src/dst nets again in the 
config files yet):

2.0.6:

ra -F ra2.conf.full -r t.argus
StartTime,LastTime,Trans,Dur,AvgDur,SrcAddr,DstAddr,Type,Sport,Dport,SrcTOS,DstTOS,SrcTTL,DstTTL,SrcBytes,DstBytes,SrcPkt,DstPkt,Src_bps,Dst_bps,Src_pps,Dst_pps,Src_Loss,Dst_Loss,ProbeId,Flgs,SrcMacAddr,DstMacAddr,Dir,SrcJitter,DstJitter,State,srcUdata,dstUdata,SrcWin,DstWin,Seq,sMPLS,dMPLS,sVLAN,dVLAN,IpId
1149490800.390902,1149490800.392313,1,0.001411,0.001411,206.127.21.254,142.58.207.207,udp,65442,123,0,16,46,61,90,90,1,1,510276.40,510276.40,708.72,708.72,0.0000,0.0000,3848370891,,0:90:69:c0:e0:1f,0:e0:63:13:7e:0,<->,0.000,0.000,CON,,,,,1307546097,,,,,0xbc5f

3.0:

ra3 -F ra3.conf.full -r t.argus
StartTime,LastTime,Trans,Dur,AvgDur,SrcNet,SrcAddr,DstNet,DstAddr,Proto,Sport,Dport,sTos,dTos,sTtl,dTtl,SrcBytes,DstBytes,SrcPkts,DstPkts,Src_bps,Dst_bps,Src_pps,Dst_pps,SrcLoss,DstLoss,SrcId,Flgs,SrcMac,DstMac,Dir,SrcJitter,DstJitter,State,srcUdata,dstUdata,SrcWin,DstWin,Seq,sMpls,dMpls,sVlan,dVlan,sIpId,dIpId
1149490800.390902,,1149490800.392313,,1,0.001411,0.001411,206.127.21.254,142.58.207.207,udp,65442,ntp,0,16,46,61,90,90,1,1,510276.375,510276.375,708.717,708.717,0,0,229.97.122.203,         ,0:90:69:c0:e0:1f,0:e0:63:13:7e:0,<->,,,CON,,,,,1307546097,,, ,0xbc5f,0xbc5f

	It should now be possible to make a perl script compare the two data
streams and flag mismatches.
	This minor patch to common/argus_util.c on 2.0.6.fixes.1 (extracted 
out of the much larger patch for all the printing, basically changing the two 
"> 1" to "> 0") makes 2.0.6 output the rate fields for single packet flows 
(which 3.0 was already doing):

*** 2313,2331 ****
     src_count = argus->argus_far.src.count;
     dst_count = argus->argus_far.dst.count;
  
!    if (src_count > 1)
        sprintf (ptr, "%.2f", ((double)(src_count)/seconds));
     else
        sprintf (ptr, "%.2f", 0.0);
  
     sprintf (buf, "%10s", ptr);
  
!    if (dst_count > 1)
        sprintf (ptr, "%.2f", ((double)(dst_count)/seconds));
     else
        sprintf (ptr, "%.2f", 0.0);
  
!    sprintf (&buf[strlen(buf)], "%10s  ", ptr);
  }
  
  /*
--- 2305,2328 ----
     src_count = argus->argus_far.src.count;
     dst_count = argus->argus_far.dst.count;
  
!    if (src_count > 0)
        sprintf (ptr, "%.2f", ((double)(src_count)/seconds));
     else
        sprintf (ptr, "%.2f", 0.0);
  
     sprintf (buf, "%10s", ptr);
  
!    if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0'))
!       sprintf(&buf[strlen(buf)], "%c", RaFieldDelimiter);
!    else
!       sprintf(&buf[strlen(buf)], "%c", ' ');
! 
!    if (dst_count > 0)
        sprintf (ptr, "%.2f", ((double)(dst_count)/seconds));
     else
        sprintf (ptr, "%.2f", 0.0);
  
!    sprintf (&buf[strlen(buf)], "%10s", ptr);
  }
  
  /*

More information about the argus mailing list