rc.29 testing

Peter Van Epp vanepp at sfu.ca
Thu Sep 14 11:00:53 EDT 2006 

On Thu, Sep 14, 2006 at 12:04:24AM -0400, Carter Bullard wrote:
> Hey Peter,
> ICMP length issue fixed.  

	great!

> Not sure about your comment on esp traffic.  We definately should be
> reporting loss for esp traffic, (there are no esp retransmits, just detected
> dropped packets, based on the esp sequence number).

	This is a 2.0.6 to 3.0 issue I think (I haven't looked for esp on a 3.0
capture yet). The 3.0 ra doesn't have any code to deal with the retransmit 
flags in the 2.0.6 record in the case of esp. I took it from your earlier 
comment that this is how it should be in 3.0:

>
> I changed the entire approach to esp and so it doesn't have a
> sport value anymore (uni-directional flow, only one sap, the spi
> field).   I print the spi, which is a 32-bit value, in the dport field,
> so it can get big.   I suspect mismatches in flow identifiers for
> esp are going to happen.
>

> We aren't suppressing 'special' port values as there are no special port
> numbers any longer.  So if its 65535, then thats what we saw on the wire.

	Yep, thats what I figured which is why this is a 2.0.6 issue and 
correct in 3.0. 

> So I have redefined the flags character offsets, and put them in the new 
> ra.1
> man page, but I'm still using the older mapping.  Check out the man page
> for flag printing, to see if it works for you.  If so I'll flip the 
> method for
> printing, but then it won't be backward compatible at all.

	I'll have a look at the new scheme, but the old one works for me if it
makes sorting better, as noted we just need to document somewhere that there
is more data available in the underlying record in case someone wants it. 

> 
> The new dir fields, where v.2 printed "?>" but v.3 prints "<?>", v.3
> will print a '<' or '>" if there are dst or src packet counts, respectively.
> (I think v.2 is broken here).

	Thats what I suspected too, I just haven't had time to poke at it 
very closely. The icmp count was the only serious problem I saw on rc.29 so 
far :-).
	I also need to figure out how to convince configure to add -m64 -fPIC
on my IBMs so I don't need to do it manually :-).
	It also looks like (Apple willing) that I'm going to end up with a 
dual CPU dual core Mac G5 which will be the same configuration as the IBMs
(except Power5 processors instead of 970s in the IBMs). That should mean I 
can see if there is a performance increase from the 970 to the Power5. 

> 
> Carter
>

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list