new rc.38 code available on the server

Carter Bullard carter at qosient.com
Thu Jan 25 11:13:10 EST 2007 

Hey Robin,
Sorry about that, this patch fixes the bug.  I'll have it in rc.39  
when it goes
up today/tomorrow.   It was in the new non-blocking DNS code.  The only
program that uses it by default is ratop(), but the library got the  
problem.

Carter

==== //depot/argus/clients/common/argus_util.c#50 - /home/carter/ 
argus/clients/common/argus_util.c ====
9832a9833
 >       addr = htonl(addr);
9833a9835
 >       addr = ntohl(addr);
9877d9878
<                      addr = htonl(addr);
9880a9882
 >                      addr = htonl(addr);
9881a9884,9885
 >                      addr = ntohl(addr);
 >
9901,9904c9905,9909
<                   if (p->status != ARGUS_PENDING) {
<                      struct ArgusListObjectStruct *list;
<                      if ((list = ArgusCalloc(1, sizeof(*list))) ==  
NULL)
<                         ArgusLog(LOG_ERR, "ArgusCalloc: error %s",  
strerror(errno));
---
 >                   if (ArgusParser->NonBlockingDNS) {
 >                      if (p->status != ARGUS_PENDING) {
 >                         struct ArgusListObjectStruct *list;
 >                         if ((list = ArgusCalloc(1, sizeof(*list)))  
== NULL)
 >                            ArgusLog(LOG_ERR, "ArgusCalloc: error % 
s", strerror(errno));
9906,9908c9911,9914
<                      list->obj = (void *) addr;
<                      ArgusPushBackList(ArgusParser->ArgusNameList,  
(struct ArgusListRecord *)list, ARGUS_LOCK);
<                      p->status = ARGUS_PENDING;
---
 >                         list->obj = (void *) addr;
 >                         ArgusPushBackList(ArgusParser- 
 >ArgusNameList, (struct ArgusListRecord *)list, ARGUS_LOCK);
 >                         p->status = ARGUS_PENDING;
 >                      }



On Jan 25, 2007, at 10:54 AM, Carter Bullard wrote:

> Hey Robin,
> I found it.  Its in the clients.  I'll fix it right now!!!
> Carter
>
> On Jan 25, 2007, at 9:14 AM, Robin Gruyters wrote:
>
>> It looks like the order has changed. The IP addresses are backwords.
>>
>> 2.0.4.10 => 10.4.0.2
>> 3.0.5.10 => 10.5.0.3
>> 4.0.5.10 => 10.5.0.4
>> etc...
>>
>> Regards,
>>
>> Robin
>>
>> Quoting Carter Bullard <carter at qosient.com>:
>>
>>> Hey Robin,
>>> Hmmmmm, not sure what the data is suppose to look like?
>>>
>>> For your racluster() call, you have to have the 'proto' in flow  
>>> model
>>> definition
>>> for the' dport' to have any meaning (needs to see that the proto   
>>> field is
>>> ip, and tcp or udp or icmp or whatever).
>>>
>>>     racluster -m saddr daddr proto dport -s  saddr daddr ....
>>>
>>> What is notably wrong with the output?
>>> How are things on your side of the planet?
>>>
>>> Carter
>>>
>>>
>>> On Jan 25, 2007, at 3:51 AM, Robin Gruyters wrote:
>>>
>>>> uuuh, don't know what has changed since the last release (37),  
>>>> but   my output is completely f***ed up.
>>>>
>>>> [...]
>>>> $ racluster -m saddr daddr dport -s saddr daddr dport sbytes  
>>>> dbytes   -r sql.arg.bz2
>>>>     SrcAddr            DstAddr        Dport     SrcBytes      
>>>> DstBytes
>>>>          2.0.4.10           4.0.5.10            28676799      
>>>> 26842218
>>>>          3.0.5.10           4.0.5.10          3106821685    
>>>> 3393005959
>>>>          4.0.5.10           5.0.5.10                   
>>>> 60           66
>>>>          4.0.5.10           5.0.5.10                  
>>>> 300          330
>>>>          4.0.5.10           5.0.5.10                1500          
>>>> 1650
>>>>          5.0.5.10           4.0.5.10            80051933      
>>>> 97657330
>>>> [...]
>>>>
>>>> Same goes for ra(1)
>>>> [...]
>>>> $ ra -nnr sql.arg.bz2 - 'ip'
>>>>               StartTime    Flgs   Proto      SrcAddr          
>>>> Sport    Dir      DstAddr        Dport  SrcPkts  DstPkts       
>>>> SrcBytes      DstBytes State
>>>> 07-01-20 01:00:08.217335               6             
>>>> 5.0.5.10.50941     <?>           4.0.5.10.5432          
>>>> 10         8         2339          2805   CON
>>>> 07-01-20 01:00:15.507527               6             
>>>> 5.0.5.10.50941     <?>           4.0.5.10.5432         14         
>>>> 12         2424          2890   CON
>>>> 07-01-20 01:00:13.430267               6             
>>>> 3.0.5.10.59695     <?>           4.0.5.10.5432           
>>>> 4         4          797          1244   CON
>>>> [...]
>>>>
>>>> Regards,
>>>>
>>>> Robin Gruyters
>>>> Network and Security Engineer
>>>> Yirdis B.V.
>>>> I: http://yirdis.com
>>>> P: +31 (0)36 5300394
>>>> F: +31 (0)36 5489119
>>>>
>>>>
>>>> Quoting Carter Bullard <carter at qosient.com>:
>>>>
>>>>> Gentle people,
>>>>> New code is on the server for testing.
>>>>>
>>>>>   ftp://qosient.com/dev/argus-3.0
>>>>>
>>>>> This fixes most of the issues on the list.  The things still  
>>>>> left to
>>>>> implement are:
>>>>>   management record content verification/printing/etc....
>>>>>   extend netflow support to version 7, 8
>>>>>
>>>>> Hope all is most excellent, and thanks for all the efforts!!!
>>>>>
>>>>> Carter
>>>>
>>>>
>>>>
>>
>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070125/f4114834/attachment.html>

More information about the argus mailing list