racluster, wounded after battling a dragon...

Carter Bullard carter at qosient.com
Fri Nov 3 10:05:32 EST 2006 

Hey Adrian,
Sorry for the delayed response.   Thanks for the email, and yes Rick  
is correct that
this has been an issue.  I thought I fixed them all but, alas, bugs  
abound.
'dport' as a aggregation object is supported, but it only makes sense  
for some
protocols.  Check to see that the record that is being aggregated  is  
an IPv[4,6]
record, and ICMP, TCP,  UDP/RTP, ESP etc....   There are a lot of  
protocols that
just don't have a port concept (there are some that have a dport, but  
no sport, like
ESP).

I'm hoping to have new code up on the server later today (Fri).
Thanks again for the email.

Carter


On Oct 31, 2006, at 11:24 AM, Adrian Bool wrote:

>
> Hi,
>
> I have previously used ragator to look a traffic flows from  
> archived pcap data.  Over the last couple of days I've been trying  
> to do similar in Argus 3rc33 with racluster.
>
> I'm trying for a filter of the form,
>
> 	filter="src net 192.168.0.0/16" model="saddr/24 daddr/24 dport"
>
> Whilst trying to get the data I want I have found a couple of bugs  
> in the function argus_client.c::ArgusNewAggregator,
>
> 	Mask length decoding,
>
> 	Currently we have,
> 		
> 		char * endptr = NULL ;
>
>        if ((len = strtol(mptr, endptr, 10)) == 0)
>           if (*endptr == mptr)
>               ArgusLog (LOG_ERR, "syntax error: %s %s", mptr,  
> strerror(errno));
>
> 	... but really need ...
>
> 		char * endptr = NULL ;
>
>        if ((len = strtol(mptr, &endptr, 10)) == 0)
>             if (endptr == mptr)
>                ArgusLog (LOG_ERR, "syntax error: %s %s", mptr,  
> strerror(errno));
>
>
> 	... and possibly bomb out if we hit the syntax error.  strtol  
> stakes a char ** as its second argument - and if that is NULL it  
> will not return any endptr information.  So, we pass the address of  
> the NULL ptr, it places the end of processing ptr in our end ptr  
> and then we can just compare normal pointers.
>
> 	Then, there is currently,
>
> 	       if (len <= 32)
>                   mask.addr_un.ipv4 = (0xFFFFFFFF << (32 - retn- 
> >saddrlen));
>
> 	The mask.addr_un.ipv4 is not a function of the len we just  
> decoded!  Using the following seems to be ok,
>
> 	       if (len <= 32)
>                   mask.addr_un.ipv4 = (0xFFFFFFFF << (32 - len));
>
> 	saddrlen (or daddrlen) seems to be set as appropriate lower down.
>
> I'm actually looking at aggregating on destination port  - which  
> worked pretty well in ragator.  Lower down this function iterates  
> through members of ArgusMaskDefs but only seem to be picking up  
> saddr, daddr, smpls and dmpls.  sport and dport seem to be  
> ignored.  Is aggregation on ports not implemented as yet?
>
> Regards,
>
> aid
>
>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20061103/a4a6953a/attachment.html>

More information about the argus mailing list