rc.29 testing
Carter Bullard
carter at qosient.com
Thu Sep 14 00:04:24 EDT 2006
Hey Peter,
ICMP length issue fixed.
Not sure about your comment on esp traffic. We definately should be
reporting loss for esp traffic, (there are no esp retransmits, just detected
dropped packets, based on the esp sequence number).
We aren't suppressing 'special' port values as there are no special port
numbers any longer. So if its 65535, then thats what we saw on the wire.
So I have redefined the flags character offsets, and put them in the new
ra.1
man page, but I'm still using the older mapping. Check out the man page
for flag printing, to see if it works for you. If so I'll flip the
method for
printing, but then it won't be backward compatible at all.
The new dir fields, where v.2 printed "?>" but v.3 prints "<?>", v.3
will print a '<' or '>" if there are dst or src packet counts, respectively.
(I think v.2 is broken here).
Carter
Peter Van Epp wrote:
> Rc.29 is looking good. All the directional count issues look to be gone
>in the hour long test file (and the big test file output is below). There
>looks to be an icmp length issue though (all 3.0.rc.29 for the v3 programs):
>
>%argus -r count.tcp -w count3.argus
>
>%argus_bpf -r count.tcp -w count2.argus
>
>%ra -r count2.argus -nn
>13 Sep 06 19:47:08 man 229.97.122.203 v2.0 1 0 0 0 0 0 STA
>28 Aug 06 15:30:31 I tcp 102.177.225.49.47229 -> 142.58.222.231.54481 1 0 66 0 REQ
>28 Aug 06 15:30:36 icmp 142.58.29.9 -> 102.177.225.49 1 0 94 0 URH
>13 Sep 06 19:47:08 man 229.97.122.203 v2.0 3 0 2 0 160 2 SHT
>
>%ra3 -r count2.argus -n
> 15:30:31.581086 I tcp 102.177.225.49.47229 -> 142.58.222.231.54481 1 0 66 0 REQ
> 15:30:36.583786 icmp 142.58.29.9 -> 102.177.225.49 1 0 94 0 URH
> 19:47:08.206214 man 33620040 0 3228143616 838861 2 0 3228143616 3758104544 SHT
>
>%ra3 -r count3.argus -n
> 15:30:31.581086 I tcp 102.177.225.49.47229 -> 142.58.222.231.54481 1 0 66 0 REQ
> 15:30:36.583786 icmp 142.58.29.9 -> 102.177.225.49 1 0 86 0 URH
> 19:46:57.630528 man 0 0 29 1 2 3 29 1462760 STP
>%
>
> Note argus 3.0 is saying icmp length is 86 where 2.0.6 thinks its 94
>(tcpdump reports 60, but I expect thats less headers and my sniffer machine
>ate its power supply yesterday and is thus hors-de-combat for telling me whats
>really going on, but I suspect 2.0.6 is correct because I verified all the
>counts there against tcpdump output :-)). Since its a harmless attack with no
>response I'll add count.tcp to this message for debugging.
> With state and direction checking supressed the large 2.0.6 file does
>fine (at least all the complaints are either explained or 2.0.6 bugs :-)):
>
>esp processing changed in 3.0 making this OK (it won't detect retransmits any
>more I don't think):
>
>flgs2 = s
>flgs32 =
>
>line: 1026 fields in error: flgs,
>1151432430.055001,1151433528.697155,1,1098.642154,1098.642154,208.38.3.62,142.58
>.213.62,esp,0,16248,0,0,52,0,1385072,0,1193096,0,5052,0,10085.70,0.00,4.60,0.00,
>0.0000,0.0000,3848370891,qs,0:11:88:5:5d:1d,0:10:db:73:dd:51,->,841639.000000,,I
>NT,s[16]="x?`X4........v$.",,,,7469,,,0x0200,,0x5b5f
>1151432430.055001,1151433528.697155,1,1098.642154,1098.642212,208.38.3.62,142.58
>.213.62,esp,,1532968824,0,,52,,1385072,0,1193096,0,5052,0,10085.700,0.000,4.598,
>0.000,0,0,229.97.122.203, v ,0:11:88:5:5d:1d,0:10:db:73:dd:51,->,841639.00
>0000,,INT,s[16]="x?`X4........v$.",,,,7469,,,0x0200,,0x5b5f,
>
>2.0.6 field length bug (truncates the hex)
>
>sport 0xe 232
>dport 0xe 232
>
>line: 18705 fields in error: dport,sport,
>1151432461.841994,1151432461.841994,1,0.000000,0.000000,0:9:6b:b7:9c:10,3:0:8:0:
>0:0,llc,0xe,0xe,,,,,64,0,43,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,3848370891,q,
>0:9:6b:b7:9c:10,3:0:8:0:0:0,->,,,INT,s[16]="..CC............",,,,21725,,,0x8200,
>,
>1151432461.841994,1151432461.841994,1,0.000000,0.000000,0:9:6b:b7:9c:10,3:0:8:0:
>0:0,llc,0xe8,0xe8,,,,,64,0,43,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.203,
>v ,0:9:6b:b7:9c:10,3:0:8:0:0:0,->,,,INT,s[16]="..CC............",,,,21725,
>,,0x8200,,,
>
>2.0.6 supressed 65535 port number (used as a flag as I recall)
>
>sport 65535
>
>line: 80205 fields in error: sport,
>1151432633.891051,1151432633.891051,1,0.000000,0.000000,64.231.58.119,142.58.65.
>252,udp,,5436,0,0,113,0,109,0,63,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,38483708
>91,q,0:11:88:5:5d:1d,0:14:51:7a:b:b1,->,,,INT,s[16]="...A...&....N.t.",,,,62171,
>,,0x0286,,0x16f2
>1151432633.891051,1151432633.891051,1,0.000000,0.000000,64.231.58.119,142.58.65.
>252,udp,65535,5436,0,,113,,109,0,63,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122
>.203, v ,0:11:88:5:5d:1d,0:14:51:7a:b:b1,->,,,INT,s[16]="...A...&....N.t."
>,,,,62171,,,0x0286,,0x16f2,
>
>a 3.0 sort field trade off, overwrites the E flag with the D flag. The correct
>data for both is in the 3.0 argus record and another client can extract it if
>you need it.
>
>flgs2 = E
>flgs32 =
>
>line: 111474 fields in error: flgs,
>1151432739.311116,1151432742.431802,1,3.120686,3.120686,142.58.211.84,205.188.21
>2.249,tcp,59972,80,0,0,255,255,1586,1467,1160,1111,7,6,4065.77,3760.71,2.24,1.92
>,0.0000,0.0000,3848370891,qDE,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,1218134.039513,
>RST,s[16]="GET/17789/aim/e",,0,0,124168,,,0x00d3,0x00d3,0x0000
>1151432739.311116,1151432742.431802,1,3.120686,3.120686,142.58.211.84,205.188.21
>2.249,tcp,59972,80,0,0,255,255,1586,1467,1160,1111,7,6,4065.773,3760.711,2.243,1
>.923,0,0,229.97.122.203, v D ,0:f:1f:3:f5:79,0:11:88:5:5d:1d,->,,1218134.04,
>RST,s[16]="GET /17789/aim/e",,0,0,124168,,,0x00d3,0x00d3,0x0000,0x0000
>
>2.0.6 bug (ports should be supressed)
>
>sport 0
>dport 0
>
>line: 150642 fields in error: dport,sport,
>1151432860.448561,1151433389.602865,1,529.154304,529.154304,10.10.10.10,255.255.
>255.255,pri-,0,0,0,0,0,0,1170,0,600,0,15,0,17.69,0.00,0.03,0.00,0.0000,0.0000,38
>48370891,q,0:9:ef:1:39:c1,ff:ff:ff:ff:ff:ff,->,,,INT,s[16]="WLANforwarding",,,,1
>70682,,,0x0286,,0x0000
>1151432860.448561,1151433389.602865,1,529.154304,529.154297,10.10.10.10,255.255.
>255.255,pri-enc,,,0,,0,,1170,0,600,0,15,0,17.689,0.000,0.028,0.000,0,0,229.97.12
>2.203, v ,0:9:ef:1:39:c1,ff:ff:ff:ff:ff:ff,->,,,INT,s[16]="WLAN forwarding
> ",,,,170682,,,0x0286,,0x0000,
>
>int to fp roundoff errors (2.0.6 is int, 3.0 is fp)
>
>
>djit 73945.757215 73827.01
>
>line: 208131 fields in error: djit,
>1151433024.339674,1151433529.078258,1,504.738584,504.738584,142.58.62.247,66.36.
>75.14,tcp,50664,80,0,0,255,255,4433,6353,225,2215,60,59,70.26,100.69,0.12,0.12,0
>.0000,0.0000,3848370891,q,0:d:93:ea:6:66,0:11:88:5:5d:1d,->,,73945.757215,CON,s[
>16]="GET/SERVICE/SQU",,0,27,246528,,,0x0282,0x0282,0x0000
>1151433024.339674,1151433529.078258,1,504.738584,504.738586,142.58.62.247,66.36.
>75.14,tcp,50664,80,0,0,255,255,4433,6353,225,2215,60,59,70.262,100.694,0.119,0.1
>17,0,0,229.97.122.203, v ,0:d:93:ea:6:66,0:11:88:5:5d:1d,->,,73827.01,CON,
>s[16]="GET /SERVICE/SQU",,0,27,246528,,,0x0282,0x0282,0x0000,0x0000
>
>srate 3018666666.67 3018666496.000
>
>line: 233600 fields in error: srate,
>1151433105.350181,1151433105.350187,1,0.000006,0.000006,142.58.160.80,156.26.176
>.107,udp,26635,48056,0,0,128,0,2264,0,2172,0,2,0,3018666666.67,0.00,333333.33,0.
>00,0.0000,0.0000,3848370891,q,0:12:3f:98:40:82,0:11:88:5:5d:1d,->,,,INT,s[16]=".
>-?.S.....!.u.6.",,,,280338,,,0x8200,,0xbb94
>1151433105.350181,1151433105.350187,1,0.000006,0.000006,142.58.160.80,156.26.176
>.107,udp,26635,48056,0,,128,,2264,0,2172,0,2,0,3018666496.000,0.000,333333.312,0
>.000,0,0,229.97.122.203, v ,0:12:3f:98:40:82,0:11:88:5:5d:1d,->,,,INT,s[16
>]=".-?.S.....!.u.6.",,,,280338,,,0x8200,,0xbb94,
>
>and thats it out of some 360,000 records. When we re enable state and direction
>checking things are a little more exciting, but not necessarily wrong :-)
>(igmp isn't connected for instance):
>
>line: 7 fields in error: dir,
>1151432428.834980,1151432968.849102,1,540.014122,540.014122,142.58.206.16,142.58
>.202.108,tcp,524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
>,1493083,63258140.20,1350202.38,5584.49,2764.90,0.0007,0.0000,3848370891,qs,0:f:
>1f:f8:c4:c1,0:11:88:5:5d:1d,?>,1278.000000,3716.553425,CON,s[16]=".Y....&!..:KLJ
>j(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9
>1151432428.834980,1151432968.849102,1,540.014122,540.014099,142.58.206.16,142.58
>.202.108,tcp,524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
>,1493083,63258144.000,1350202.375,5584.489,2764.896,0,0,229.97.122.203, vs
>,0:f:1f:f8:c4:c1,0:11:88:5:5d:1d,<?>,1278.000000,3716.47,CON,s[16]=".Y....&!..:K
>LJj(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9,0xfee9
>
>
>line: 23 fields in error: dir,
>1151432428.836459,1151433529.824857,1,1100.988398,1100.988398,142.58.155.79,142.
>58.167.63,tcp,1030,445,0,0,255,255,7324703,34375869,3834611,30963787,60174,58829
>,53222.74,249781.88,54.65,53.43,0.0299,0.0068,3848370891,q*,0:b:db:49:f6:39,0:11
>:88:5:5d:1d,?>,31.787992,561892.517921,CON,s[16]="...;.SMB........",d[16]="...<.
>SMB........",17520,16766,8549,,,0x0200,0x8200,0x93ab
>1151432428.836459,1151433529.824857,1,1100.988398,1100.988403,142.58.155.79,142.
>58.167.63,tcp,1030,445,0,0,255,255,7324703,34375869,3834611,30963787,60174,58829
>,53222.742,249781.875,54.655,53.433,0,0,229.97.122.203, v* ,0:b:db:49:f6:39
>,0:11:88:5:5d:1d,<?>,31.541513,561892.47,CON,s[16]="...;.SMB........",d[16]="...
><.SMB........",17520,16766,8549,,,0x0200,0x8200,0x93ab,0x93ab
>
>state TIM CON
>
>line: 31 fields in error: state,dir,
>1151432428.840442,1151433509.016300,1,1080.175858,1080.175858,142.58.235.103,142
>.58.103.117,tcp,1660,445,0,0,128,0,580,0,0,0,10,0,4.30,0.00,0.01,0.00,0.0000,0.0
>000,3848370891,q,0:14:22:56:d6:dd,0:11:88:5:5d:1d,<?>,,,TIM,,,0,0,756,,,0x8200,,
>0xbdef
>1151432428.840442,1151433509.016300,1,1080.175858,1080.175903,142.58.235.103,142
>.58.103.117,tcp,1660,445,0,,128,,580,0,0,0,10,0,4.296,0.000,0.009,0.000,0,0,229.
>97.122.203, v ,0:14:22:56:d6:dd,0:11:88:5:5d:1d,?>,,,CON,,,0,,756,,,0x8200
>,,0xbdef,
>
>state CON INT
>
>line: 42 fields in error: state,
>1151432428.847329,1151432439.757887,1,10.910558,10.910558,142.58.200.252,224.0.0
>.22,igmp,34,0,192,0,1,0,174,0,48,0,3,0,127.58,0.00,0.27,0.00,0.0000,0.0000,38483
>70891,q,0:e0:81:20:c3:4c,1:0:5e:0:0:16,->,,,CON,s[16]=""...............",,,,8887
>,,,0x0200,,0x0000
>1151432428.847329,1151432439.757887,1,10.910558,10.910558,142.58.200.252,224.0.0
>.22,igmp,,,192,,1,,174,0,48,0,3,0,127.583,0.000,0.275,0.000,0,0,229.97.122.203,
>v ,0:e0:81:20:c3:4c,1:0:5e:0:0:16,->,,,INT,s[16]=""...............",,,,888
>7,,,0x0200,,0x0000,
>
>
>line: 52 fields in error: dir,
>1151432428.851530,1151433240.526740,1,811.675210,811.675210,142.58.71.99,142.58.
>217.166,tcp,49152,1935,0,0,255,255,79657946,6850292,71822216,9962,111939,97719,7
>85121.39,67517.57,137.91,120.39,0.0036,0.0000,3848370891,qs,0:11:24:a8:11:b2,0:1
>1:88:5:5d:1d,?>,5055.000000,33915.787004,CON,s[16]="K.....h.".......",d[16]="...
>...........%6",65535,34752,8586,,,0x0200,0x8288,0x8b92
>1151432428.851530,1151433240.526740,1,811.675210,811.675232,142.58.71.99,142.58.
>217.166,tcp,49152,1935,0,0,255,255,79657946,6850292,71822216,9962,111939,97719,7
>85121.375,67517.562,137.911,120.392,0,0,229.97.122.203, vs ,0:11:24:a8:11:b
>2,0:11:88:5:5d:1d,<?>,5055.000000,33915.32,CON,s[16]="K.....h.".......",d[16]=".
>.............%6",65535,34752,8586,,,0x0200,0x8288,0x8b92,0x8b92
>
>
>Peter Van Epp / Operations and Technical Support
>Simon Fraser University, Burnaby, B.C. Canada
>
>
More information about the argus
mailing list