rc.29 testing

Peter Van Epp vanepp at sfu.ca
Wed Sep 13 23:15:23 EDT 2006 

	Rc.29 is looking good. All the directional count issues look to be gone
in the hour long test file (and the big test file output is below). There
looks to be an icmp length issue though (all 3.0.rc.29 for the v3 programs):

%argus -r count.tcp -w count3.argus

%argus_bpf -r count.tcp -w count2.argus

%ra -r count2.argus -nn
13 Sep 06 19:47:08           man  229.97.122.203  v2.0                   1 0     0        0         0            0           STA
28 Aug 06 15:30:31     I     tcp  102.177.225.49.47229  ->  142.58.222.231.54481 1        0         66           0           REQ
28 Aug 06 15:30:36          icmp     142.58.29.9        ->  102.177.225.49       1        0         94           0           URH
13 Sep 06 19:47:08           man  229.97.122.203  v2.0                   3 0     2        0         160          2           SHT

%ra3 -r count2.argus -n
    15:30:31.581086     I       tcp     102.177.225.49.47229     ->     142.58.222.231.54481         1        0           66            0   REQ
    15:30:36.583786            icmp        142.58.29.9           ->     102.177.225.49               1        0           94            0   URH
    19:47:08.206214             man           33620040      0               3228143616 838861        2        0   3228143616   3758104544   SHT

%ra3 -r count3.argus -n
    15:30:31.581086     I       tcp     102.177.225.49.47229     ->     142.58.222.231.54481         1        0           66            0   REQ
    15:30:36.583786            icmp        142.58.29.9           ->     102.177.225.49               1        0           86            0   URH
    19:46:57.630528             man                  0      0                       29      1        2        3           29      1462760   STP
%

	Note argus 3.0 is saying icmp length is 86 where 2.0.6 thinks its 94
(tcpdump reports 60, but I expect thats less headers and my sniffer machine
ate its power supply yesterday and is thus hors-de-combat for telling me whats
really going on, but I suspect 2.0.6 is correct because I verified all the 
counts there against tcpdump output :-)). Since its a harmless attack with no 
response I'll add count.tcp to this message for debugging.
	With state and direction checking supressed the large 2.0.6 file does
fine (at least all the complaints are either explained or 2.0.6 bugs :-)):

esp processing changed in 3.0 making this OK (it won't detect retransmits any
more I don't think):

flgs2 = s
flgs32 =

line: 1026 fields in error: flgs,
1151432430.055001,1151433528.697155,1,1098.642154,1098.642154,208.38.3.62,142.58
.213.62,esp,0,16248,0,0,52,0,1385072,0,1193096,0,5052,0,10085.70,0.00,4.60,0.00,
0.0000,0.0000,3848370891,qs,0:11:88:5:5d:1d,0:10:db:73:dd:51,->,841639.000000,,I
NT,s[16]="x?`X4........v$.",,,,7469,,,0x0200,,0x5b5f
1151432430.055001,1151433528.697155,1,1098.642154,1098.642212,208.38.3.62,142.58
.213.62,esp,,1532968824,0,,52,,1385072,0,1193096,0,5052,0,10085.700,0.000,4.598,
0.000,0,0,229.97.122.203, v       ,0:11:88:5:5d:1d,0:10:db:73:dd:51,->,841639.00
0000,,INT,s[16]="x?`X4........v$.",,,,7469,,,0x0200,,0x5b5f,

2.0.6 field length bug (truncates the hex)

sport 0xe 232
dport 0xe 232

line: 18705 fields in error: dport,sport,
1151432461.841994,1151432461.841994,1,0.000000,0.000000,0:9:6b:b7:9c:10,3:0:8:0:
0:0,llc,0xe,0xe,,,,,64,0,43,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,3848370891,q,
0:9:6b:b7:9c:10,3:0:8:0:0:0,->,,,INT,s[16]="..CC............",,,,21725,,,0x8200,
,
1151432461.841994,1151432461.841994,1,0.000000,0.000000,0:9:6b:b7:9c:10,3:0:8:0:
0:0,llc,0xe8,0xe8,,,,,64,0,43,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203,
v       ,0:9:6b:b7:9c:10,3:0:8:0:0:0,->,,,INT,s[16]="..CC............",,,,21725,
,,0x8200,,,

2.0.6 supressed 65535 port number (used as a flag as I recall)

sport  65535

line: 80205 fields in error: sport,
1151432633.891051,1151432633.891051,1,0.000000,0.000000,64.231.58.119,142.58.65.
252,udp,,5436,0,0,113,0,109,0,63,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,38483708
91,q,0:11:88:5:5d:1d,0:14:51:7a:b:b1,->,,,INT,s[16]="...A...&....N.t.",,,,62171,
,,0x0286,,0x16f2
1151432633.891051,1151432633.891051,1,0.000000,0.000000,64.231.58.119,142.58.65.
252,udp,65535,5436,0,,113,,109,0,63,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122
.203, v       ,0:11:88:5:5d:1d,0:14:51:7a:b:b1,->,,,INT,s[16]="...A...&....N.t."
,,,,62171,,,0x0286,,0x16f2,

a 3.0 sort field trade off, overwrites the E flag with the D flag. The correct
data for both is in the 3.0 argus record and another client can extract it if 
you need it.

flgs2 = E
flgs32 =

line: 111474 fields in error: flgs,
1151432739.311116,1151432742.431802,1,3.120686,3.120686,142.58.211.84,205.188.21
2.249,tcp,59972,80,0,0,255,255,1586,1467,1160,1111,7,6,4065.77,3760.71,2.24,1.92
,0.0000,0.0000,3848370891,qDE,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,1218134.039513,
RST,s[16]="GET/17789/aim/e",,0,0,124168,,,0x00d3,0x00d3,0x0000
1151432739.311116,1151432742.431802,1,3.120686,3.120686,142.58.211.84,205.188.21
2.249,tcp,59972,80,0,0,255,255,1586,1467,1160,1111,7,6,4065.773,3760.711,2.243,1
.923,0,0,229.97.122.203, v D     ,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,1218134.04,
RST,s[16]="GET /17789/aim/e",,0,0,124168,,,0x00d3,0x00d3,0x0000,0x0000

2.0.6 bug (ports should be supressed)

sport 0
dport 0

line: 150642 fields in error: dport,sport,
1151432860.448561,1151433389.602865,1,529.154304,529.154304,10.10.10.10,255.255.
255.255,pri-,0,0,0,0,0,0,1170,0,600,0,15,0,17.69,0.00,0.03,0.00,0.0000,0.0000,38
48370891,q,0:9:ef:1:39:c1,ff:ff:ff:ff:ff:ff,->,,,INT,s[16]="WLANforwarding",,,,1
70682,,,0x0286,,0x0000
1151432860.448561,1151433389.602865,1,529.154304,529.154297,10.10.10.10,255.255.
255.255,pri-enc,,,0,,0,,1170,0,600,0,15,0,17.689,0.000,0.028,0.000,0,0,229.97.12
2.203, v       ,0:9:ef:1:39:c1,ff:ff:ff:ff:ff:ff,->,,,INT,s[16]="WLAN forwarding
 ",,,,170682,,,0x0286,,0x0000,

int to fp roundoff errors (2.0.6 is int, 3.0 is fp)


djit 73945.757215 73827.01

line: 208131 fields in error: djit,
1151433024.339674,1151433529.078258,1,504.738584,504.738584,142.58.62.247,66.36.
75.14,tcp,50664,80,0,0,255,255,4433,6353,225,2215,60,59,70.26,100.69,0.12,0.12,0
.0000,0.0000,3848370891,q,0:d:93:ea:6:66,0:11:88:5:5d:1d,->,,73945.757215,CON,s[
16]="GET/SERVICE/SQU",,0,27,246528,,,0x0282,0x0282,0x0000
1151433024.339674,1151433529.078258,1,504.738584,504.738586,142.58.62.247,66.36.
75.14,tcp,50664,80,0,0,255,255,4433,6353,225,2215,60,59,70.262,100.694,0.119,0.1
17,0,0,229.97.122.203, v       ,0:d:93:ea:6:66,0:11:88:5:5d:1d,->,,73827.01,CON,
s[16]="GET /SERVICE/SQU",,0,27,246528,,,0x0282,0x0282,0x0000,0x0000

srate 3018666666.67 3018666496.000

line: 233600 fields in error: srate,
1151433105.350181,1151433105.350187,1,0.000006,0.000006,142.58.160.80,156.26.176
.107,udp,26635,48056,0,0,128,0,2264,0,2172,0,2,0,3018666666.67,0.00,333333.33,0.
00,0.0000,0.0000,3848370891,q,0:12:3f:98:40:82,0:11:88:5:5d:1d,->,,,INT,s[16]=".
-?.S.....!.u.6.",,,,280338,,,0x8200,,0xbb94
1151433105.350181,1151433105.350187,1,0.000006,0.000006,142.58.160.80,156.26.176
.107,udp,26635,48056,0,,128,,2264,0,2172,0,2,0,3018666496.000,0.000,333333.312,0
.000,0,0,229.97.122.203, v       ,0:12:3f:98:40:82,0:11:88:5:5d:1d,->,,,INT,s[16
]=".-?.S.....!.u.6.",,,,280338,,,0x8200,,0xbb94,

and thats it out of some 360,000 records. When we re enable state and direction
checking things are a little more exciting, but not necessarily wrong :-)
(igmp isn't connected for instance):

line: 7 fields in error: dir,
1151432428.834980,1151432968.849102,1,540.014122,540.014122,142.58.206.16,142.58
.202.108,tcp,524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
,1493083,63258140.20,1350202.38,5584.49,2764.90,0.0007,0.0000,3848370891,qs,0:f:
1f:f8:c4:c1,0:11:88:5:5d:1d,?>,1278.000000,3716.553425,CON,s[16]=".Y....&!..:KLJ
j(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9
1151432428.834980,1151432968.849102,1,540.014122,540.014099,142.58.206.16,142.58
.202.108,tcp,524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
,1493083,63258144.000,1350202.375,5584.489,2764.896,0,0,229.97.122.203, vs
,0:f:1f:f8:c4:c1,0:11:88:5:5d:1d,<?>,1278.000000,3716.47,CON,s[16]=".Y....&!..:K
LJj(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9,0xfee9


line: 23 fields in error: dir,
1151432428.836459,1151433529.824857,1,1100.988398,1100.988398,142.58.155.79,142.
58.167.63,tcp,1030,445,0,0,255,255,7324703,34375869,3834611,30963787,60174,58829
,53222.74,249781.88,54.65,53.43,0.0299,0.0068,3848370891,q*,0:b:db:49:f6:39,0:11
:88:5:5d:1d,?>,31.787992,561892.517921,CON,s[16]="...;.SMB........",d[16]="...<.
SMB........",17520,16766,8549,,,0x0200,0x8200,0x93ab
1151432428.836459,1151433529.824857,1,1100.988398,1100.988403,142.58.155.79,142.
58.167.63,tcp,1030,445,0,0,255,255,7324703,34375869,3834611,30963787,60174,58829
,53222.742,249781.875,54.655,53.433,0,0,229.97.122.203, v*      ,0:b:db:49:f6:39
,0:11:88:5:5d:1d,<?>,31.541513,561892.47,CON,s[16]="...;.SMB........",d[16]="...
<.SMB........",17520,16766,8549,,,0x0200,0x8200,0x93ab,0x93ab

state TIM CON

line: 31 fields in error: state,dir,
1151432428.840442,1151433509.016300,1,1080.175858,1080.175858,142.58.235.103,142
.58.103.117,tcp,1660,445,0,0,128,0,580,0,0,0,10,0,4.30,0.00,0.01,0.00,0.0000,0.0
000,3848370891,q,0:14:22:56:d6:dd,0:11:88:5:5d:1d,<?>,,,TIM,,,0,0,756,,,0x8200,,
0xbdef
1151432428.840442,1151433509.016300,1,1080.175858,1080.175903,142.58.235.103,142
.58.103.117,tcp,1660,445,0,,128,,580,0,0,0,10,0,4.296,0.000,0.009,0.000,0,0,229.
97.122.203, v       ,0:14:22:56:d6:dd,0:11:88:5:5d:1d,?>,,,CON,,,0,,756,,,0x8200
,,0xbdef,

state CON INT

line: 42 fields in error: state,
1151432428.847329,1151432439.757887,1,10.910558,10.910558,142.58.200.252,224.0.0
.22,igmp,34,0,192,0,1,0,174,0,48,0,3,0,127.58,0.00,0.27,0.00,0.0000,0.0000,38483
70891,q,0:e0:81:20:c3:4c,1:0:5e:0:0:16,->,,,CON,s[16]=""...............",,,,8887
,,,0x0200,,0x0000
1151432428.847329,1151432439.757887,1,10.910558,10.910558,142.58.200.252,224.0.0
.22,igmp,,,192,,1,,174,0,48,0,3,0,127.583,0.000,0.275,0.000,0,0,229.97.122.203,
v       ,0:e0:81:20:c3:4c,1:0:5e:0:0:16,->,,,INT,s[16]=""...............",,,,888
7,,,0x0200,,0x0000,


line: 52 fields in error: dir,
1151432428.851530,1151433240.526740,1,811.675210,811.675210,142.58.71.99,142.58.
217.166,tcp,49152,1935,0,0,255,255,79657946,6850292,71822216,9962,111939,97719,7
85121.39,67517.57,137.91,120.39,0.0036,0.0000,3848370891,qs,0:11:24:a8:11:b2,0:1
1:88:5:5d:1d,?>,5055.000000,33915.787004,CON,s[16]="K.....h.".......",d[16]="...
...........%6",65535,34752,8586,,,0x0200,0x8288,0x8b92
1151432428.851530,1151433240.526740,1,811.675210,811.675232,142.58.71.99,142.58.
217.166,tcp,49152,1935,0,0,255,255,79657946,6850292,71822216,9962,111939,97719,7
85121.375,67517.562,137.911,120.392,0,0,229.97.122.203, vs      ,0:11:24:a8:11:b
2,0:11:88:5:5d:1d,<?>,5055.000000,33915.32,CON,s[16]="K.....h.".......",d[16]=".
.............%6",65535,34752,8586,,,0x0200,0x8288,0x8b92,0x8b92


Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada
-------------- next part --------------
A non-text attachment was scrubbed...
Name: count.tcp
Type: application/octet-stream
Size: 216 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060913/4ff8e23e/attachment.obj>

More information about the argus mailing list