argus-3.0 conformance testing and website repository

Carter Bullard carter at qosient.com
Fri Jun 23 11:17:06 EDT 2006 

Gentle people,
     Looks like we're close to having some code stability, and we're
looking good on backward compatibility.    We have a minimum
set of working argus components, server, collector/distributor,
and clients.   Thanks to everyone on all the work!!!!!

     We do need to do some correctness testing.  Does the argus
record match what is on the wire.   Nice thing is we've got a lot
of history here, but because of the surgical removal of chunks of
code, there maybe some problems.

    I recommend that we find a collection of packet traces, possibly
that are just single flows, and use them to verify functionality.
We can grab packet traces off the net, which will be a good thing,
(i think the def con packet traces are a good candidate) and/or
we can establish some of our own.   I'll put the packet traces in
a repository on the argus web site.  Purely for conformance
testing and as examples of what we can do with packets.

    I would recommend that we support only tcpdump format
packet traces, although MOAT, Dag, snoop and others are
supported by argus-3.0.  Since wireshark/ethereal can convert
from many to tcpdump, I think tcpdump is the right way to go.

    I will provide single TCP flow packet traces, for conformance
testing, and I will have some dns, traceroute traces, and ping volleys.
These will be full packet traces, probably telnet, ssh and
http.  Possilby I'll google for something.

    The minimum set of flow examples I'd like to provide are:
       TCP - HTTP, Telent, SSH, FTP
       UDP - DNS, NTP, RTP, traceroute
       ARP

    I'll generate these in a 192.168/16 network and any account/
password pairs will be temporary, so I won't have any problems
providing the full packet contents.  And if anyone discovers my
ethernet addresses, no problem.

    What I'll do is have the packet traces, and the corresponding
argus data files in a repository, with some metadata descriptions.

    If you could please suggest some others.   You don't have
to provide the packets to make a suggestion, so if its a good
suggestion, I'll create the file.

    The files can be snaped packet files, header only, or full packet
traces.   For some, full is the only way to go (to demonstrate
capability, like arp), but it will be nice to have snaps to show
what you will get if you feed a 40 byte packet to argus and you
wanted to trace an rtp stream, and there was an ethernet,
vlan, mpls, another ethernet header, ipv6 (ooopps 40-bytes
isn't enough ;o)

    If packet traces are on the argus repository, they will only
be there for conformance testing purposes, and QoSient will
deny any other use, to avoid any type of liability.  So, the packet
files should be publishable, i.e. if you provide one, you should be
able to stand behind the "its ok to publish" statement.

Again, opinions, suggestions, whatever are required for membership ;o)
Hope all is most excellent,

Carter

More information about the argus mailing list