perl code to test 2.0.6 data on 3.0 ra
Peter Van Epp
vanepp at sfu.ca
Mon Jun 26 22:43:59 EDT 2006
Here is the initial cut at perl to take an ra data stream with a 2.0.6
ra and a 3.0 ra and compare the output (and some initial output with problems):
First the ra config files (note this assumes the printing patches on 2.0.6):
ra2.conf.full:
RA_FIELD_DELIMITER=','
RA_PRINT_HOSTNAMES=protocol
RA_FIELD_SPECIFIER=time trans dur avgdur saddr daddr proto sport dport stos dtos sttl dttl bytes pkts load rate loss srcid ind mac dir jitter status user win seq mpls vlan ipid
RA_PRINT_UNIX_TIME=yes
RA_USEC_PRECISION=6
RA_PRINT_LABELS=0
ra2.conf.full:
RA_PRINT_LABELS=0
RA_FIELD_DELIMITER=','
RA_FIELD_SPECIFIER=stime ltime trans dur avgdur saddr daddr proto sport dport stos dtos sttl dttl sbytes dbytes spkts dpkts srate drate sload dload sloss dloss srcid flgs smac dmac dir sjit djit state suser duser swin dwin seq smpls dmpls svlan dvlan sipid dipid
RA_PRINT_NAMES=proto
RA_TIME_FORMAT="%s"
RA_PRINT_DURATION=no
RA_PRINT_LASTIME=yes
ra_test.pl
#!/usr/bin/perl
if ($#ARGV < 0) {
print "usage: ra_test argus_input_file\n";
}
open (RA2, "/usr/local/bin/ra -F ra2.conf.full -r $ARGV[0] |")
|| die "can't open $ARGV[0] $!";
open (RA3, "/usr/local/bin/ra3 -F ra3.conf.full -r $ARGV[0] |")
|| die "can't open $ARGV[0] $!";
# save the initial labels and eat the first ra2 man line (as not in ra3)
$label2 = <RA2>;
$labels3 = <RA3>;
$_ = <RA2>;
$line = 0;
while (<RA2>) {
$line++;
chop;
$ra2 = $_;
($start2, $end2, $trans2, $dur2, $avgdur2, $saddr2, $daddr2, $proto2, $sport2, $dport2, $stos2, $dtos2, $sttl2, $dttl2, $sbytes2, $dbytes2, $spkts2, $dpkts2, $srate2, $drate2, $sload2, $dload2, $sloss2, $dloss2, $srcid2, $flgs2, $smac2, $dmac2, $dir2, $sjit2, $djit2, $state2, $suser2, $duser2, $swin2, $dwin2, $seq2, $smpls2, $dmpls2, $svlan2, $dvlan2, $ipid2) = split(/,/,$_);
$flgs2 =~ s/ //g;
$ra3 = <RA3>;
chop $ra3;
($start3, $end3, $trans3, $dur3, $avgdur3, $saddr3, $daddr3, $proto3, $sport3, $dport3, $stos3, $dtos3, $sttl3, $dttl3, $sbytes3, $dbytes3, $spkts3, $dpkts3, $srate3, $drate3, $sload3, $dload3, $sloss3, $dloss3, $srcid3, $flgs3, $smac3, $dmac3, $dir3, $sjit3, $djit3, $state3, $suser3, $duser3, $swin3, $dwin3, $seq3, $smpls3, $dmpls3, $svlan3, $dvlan3, $sipid3, $dipid3) = split(/,/,$ra3);
$flgs3 =~ s/ //g;
%comp = "";
$comp{start} = ($start2 eq $start3);
$comp{end} = ($end2 eq $end3);
$comp{trans} = ($trans2 = $trans3);
$comp{dur} = ($dur2 eq $dur3);
if ((($avdur2 - $avdur3) < 1) && (($avdur2 - $avdur3) > -1 )) {
$comp{avdur} = 1;
}else {
$comp{avdur} = 0;
}
$comp{saddr} = ($saddr2 eq $saddr3);
$comp{daddr} = ($daddr2 eq $daddr3);
$comp{proto} = ($proto2 eq $proto3);
$comp{sport} = ($sport2 eq $sport3);
$comp{dport} = ($dport2 eq $dport3);
$comp{stos} = ($stos2 eq $stos3);
$comp{dtos} = ($dtos2 eq $dtos3);
$comp{sttl} = ($sttl2 eq $sttl3);
$comp{dttl} = ($dttl2 eq $dttl3);
$comp{sbytes} = ($sbytes2 eq $sbytes3);
$comp{dbytes} = ($dbytes2 eq $dbytes3);
$comp{spkts} = ($spkts2 eq $spkts3);
$comp{dpkts} = ($dpkts2 eq $dpkts3);
if ((($srate2 - $srate3) < 1) && (($srate2 - $srate3) > -1 )) {
$comp{srate} = 1;
}else {
$comp{srate} = 0;
}
if ((($drate2 - $drate3) < 1) && (($drate2 - $drate3) > -1 )) {
$comp{drate} = 1;
}else {
$comp{drate} = 0;
}
if ((($sload2 - $sload3) < 1) && (($sload2 - $sload3) > -1 )) {
$comp{sload} = 1;
}else {
$comp{sload} = 0;
}
if ((($dload2 - $dload3) < 1) && (($dload2 - $dload3) > -1 )) {
$comp{dload} = 1;
}else {
$comp{dload} = 0;
}
$comp{sloss} = ($sloss2 == $sloss3);
$comp{dloss} = ($dloss2 == $dloss3);
# $comp{srcid} = ($srcid2 eq $srcid3);
$comp{flgs} = ($flgs2 eq $flgs3);
$comp{smac} = ($smac2 eq $smac3);
$comp{dmac} = ($dmac2 eq $dmac3);
$comp{dir} = ($dir2 eq $dir3);
$comp{sjit} = ($sjit2 == $sjit3);
$comp{djit} = ($djit2 == $djit3);
$comp{state} = ($state2 eq $state3);
$comp{suser} = ($suser2 eq $suser3);
$comp{duser} = ($duser2 eq $duser3);
$comp{swin} = ($swin2 eq $swin3);
$comp{dwin} = ($dwin2 eq $dwin3);
$comp{seq} = ($seq2 eq $seq3);
$comp{smpls} = ($smpls2 eq $smpls3);
$comp{dmpls} = ($dmpls2 eq $dmpls3);
$comp{svlan} = ($svlan2 eq $svlan3);
$comp{dvlan} = ($dvlan2 eq $dvlan3);
$comp{sipid} = ($ipid2 eq $sipid3);
$comp{dipid} = ($ipid2 eq $dipid3);
$bad = "no";
$error = "";
foreach $field (keys %comp){
if ($field ne "") {
if ($comp{$field} ne 1) {
$bad = "yes";
$error .= "$field,";
}
}
}
if ($bad eq "yes") {
print "line: $line fields in error: $error\n$ra2\n$ra3\n\n";
$a = $a;
}
}
And some initial output showing some problems :-)
%./ra_test.pl /usr/local/argus/com_argus.archive/2006/06/05/com_argus.2006.06.05.00.00.00.0.gz
line: 4 fields in error: dir,
1149490795.289487,1149490800.426943,1,5.137456,5.137456,142.58.121.125,222.73.14.149,tcp,6211,80,0,0,0,50,0,62,0,1,0.00,96.55,0.00,0.19,0.0000,0.0000,3848370891,I,0:90:69:c0:e0:1f,0:e0:63:13:7e:0,<-,0.000,0.000,ACC,,,0,0,1307546100,,,,,0x0000
1149490795.289487,1149490800.426943,1,5.137456,5.137456,142.58.121.125,222.73.14.149,tcp,6211,80,0,0,0,50,0,62,0,1,0.000,96.546,0.000,0.195,0,0,229.97.122.203, I ,0:90:69:c0:e0:1f,0:e0:63:13:7e:0,->,,,ACC,,,0,0,1307546100,,,,,0x0000,0x0000
line: 7 fields in error: djit,sjit,
1149490739.803321,1149490799.030731,1,59.227410,59.227410,142.58.103.1,69.28.95.58,udp,33763,53,0,0,253,51,5994,9215,59,59,809.63,1244.69,1.00,1.00,0.0000,0.0000,3848370891,,0:e0:63:13:7e:0,0:90:69:c0:e0:1f,<->,1043.258,1043.251,CON,,,,,1307546103,,,,,0x8dc7
1149490739.803321,1149490799.030731,1,59.227410,59.227409,142.58.103.1,69.28.95.58,udp,33763,53,0,0,253,51,5994,9215,59,59,809.625,1244.694,0.996,0.996,0,0,229.97.122.203, ,0:e0:63:13:7e:0,0:90:69:c0:e0:1f,<->,0.000000,,CON,,,,,1307546103,,,,,0x8dc7,0x8dc7
line: 10 fields in error: sloss,
1149490790.464835,1149490800.467792,1,10.002957,10.002957,142.58.101.28,61.183.176.196,tcp,62542,113,0,0,62,0,178,0,3,0,142.36,0.00,0.30,0.00,33.3333,0.0000,3848370891,s,0:e0:63:13:7e:0,0:90:69:c0:e0:1f,->,0.000,0.000,RST,,,49640,0,1307546106,,,,,0x7ca4
1149490790.464835,1149490800.467792,1,10.002957,10.002957,142.58.101.28,61.183.176.196,tcp,62542,113,0,0,62,0,178,0,3,0,142.358,0.000,0.300,0.000,0,0,229.97.122.203, s ,0:e0:63:13:7e:0,0:90:69:c0:e0:1f,->,,,RST,,,49640,0,1307546106,,,,,0x7ca4,0x7ca4
line: 23 fields in error: sload,
1149490774.754948,1149490774.754948,1,0.000000,0.000000,85.101.217.151,142.58.68.124,udp,1032,137,0,0,107,0,92,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,3848370891,,0:90:69:c0:e0:1f,0:e0:63:13:7e:0,->,0.000,0.000,INT,,,,,1307546119,,,,,0x8fa5
1149490774.754948,1149490774.754948,1,0.000000,0.000000,85.101.217.151,142.58.68.124,udp,1032,137,0,0,107,0,92,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, ,0:90:69:c0:e0:1f,0:e0:63:13:7e:0,->,,,INT,,,,,1307546119,,,,,0x8fa5,0x8fa5
line: 26 fields in error: state,dport,sload,sport,
1149490774.840660,1149490774.840660,1,0.000000,0.000000,142.58.29.9,218.25.46.86,icmp,,,192,0,253,0,82,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,3848370891,,0:e0:63:13:7e:0,0:90:69:c0:e0:1f,->,0.000,0.000,URH,,,,,1307546122,,,,,0x2bed
1149490774.840660,1149490774.840660,1,0.000000,0.000000,142.58.29.9,218.25.46.86,icmp,3,1,192,0,253,0,82,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203, ,0:e0:63:13:7e:0,0:90:69:c0:e0:1f,->,,,ECR,,,,,1307546122,,,,,0x2bed,0x2bed
line: 41 fields in error: proto,
1149490723.632645,1149490723.708860,1,0.076215,0.076215,83.99.180.201,142.58.170.37,rtp,62981,64782,0,0,106,125,60,68,1,1,6297.97,7137.70,13.12,13.12,0.0000,0.0000,3848370891,,0:90:69:c0:e0:1f,0:e0:63:13:7e:0,<->,0.000,0.000,CON,,,,,1307546137,,,,,0x1fac
1149490723.632645,1149490723.708860,1,0.076215,0.076215,83.99.180.201,142.58.170.37,udp,62981,64782,0,0,106,125,60,68,1,1,6297.973,7137.703,13.121,13.121,0,0,229.97.122.203, ,0:90:69:c0:e0:1f,0:e0:63:13:7e:0,<->,,,CON,,,,,1307546137,,,,,0x1fac,0x1fac
line: 45 fields in error: state,dport,sport,
1149490723.689708,1149490723.690126,1,0.000418,0.000418,207.23.240.150,80.67.75.207,icmp,,,0,0,255,50,78,78,1,1,1492822.97,1492822.97,2392.34,2392.34,0.0000,0.0000,3848370891,,0:e0:63:13:7e:0,0:90:69:c0:e0:1f,<->,0.000,0.000,ECO,,,,,1307546141,,,,,0x1f3c
1149490723.689708,1149490723.690126,1,0.000418,0.000418,207.23.240.150,80.67.75.207,icmp,8,0,0,0,255,50,78,78,1,1,1492822.875,1492822.875,2392.344,2392.344,0,0,229.97.122.203, ,0:e0:63:13:7e:0,0:90:69:c0:e0:1f,<->,,,ECR,,,,,1307546141,,,,,0x1f3c,0x1f3c
line: 108 fields in error: djit,state,dloss,flgs,dir,
1149490749.347366,1149490765.780170,1,16.432804,16.432804,142.58.232.38,204.16.197.20,tcp,15366,80,0,0,0,116,0,248,0,4,0.00,120.73,0.00,0.24,0.0000,75.0000,3848370891,Id,0:90:69:c0:e0:1f,0:e0:63:13:7e:0,<->,0.000,5518.317,TIM,,,0,16384,1307546204,,,,,0x0000
1149490749.347366,1149490765.780170,1,16.432804,16.432804,142.58.232.38,204.16.197.20,tcp,15366,80,0,0,0,116,0,248,0,4,0.000,120.734,0.000,0.243,0,0,229.97.122.203, d I ,0:90:69:c0:e0:1f,0:e0:63:13:7e:0,->,,0.00,ACC,,,0,16384,1307546204,,,,,0x0000,0x0000
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list