new code on the server

Peter Van Epp vanepp at sfu.ca
Mon May 14 19:04:41 EDT 2007 

	I tcpdumped a bit less than an hour (and a bit less than 2 gigs :-)
full duplex tcpdump file for testing on intel and ppc (for endian issues).
It looks like two file processing (i.e. argus -r eth2 -r eth3) doesn't match
the output from a single tcpdump file merged with tcpmerge (which is why less
than 2 gigs input files :-)). I'll see if I can get time to create a releasable
test file for that one.
	As well there looks to be a difference in port lists between the two
architectures (due to forgetting to put the -n on the ra command):

both.ppc.ra.out

07-05-14 08:09:00  e          udp      206.12.16.133.43003     ->      129.240.67.15.43003         1        0          912            0   INT
07-05-14 08:09:00  e s        tcp      206.12.16.134.ndl-aa    ->     198.32.154.186.46133         4        3          272          222   FIN
07-05-14 08:09:00  e         icmp     217.153.194.26           ->      206.12.16.134               5        0          350            0   URH

both.intel.ra.out  (FreeBSD leaves ndl-aa as port 3128 for some reason):

07-05-14 08:09:00  e          udp      206.12.16.133.43003     ->      129.240.67.15.43003         1        0          912            0   INT
07-05-14 08:09:00  e s        tcp      206.12.16.134.3128      ->     198.32.154.186.46133         4        3          272          222   FIN

although it still breaks with the -n added (just much later :-)):

both.ppc.ra.out:

07-05-14 08:13:36  e          tcp    205.167.120.201.14084     ->     142.58.211.125.80            9        8         1112         4999   FIN

both.intel.ra.out:  (flags has an s that the other doesn't)

07-05-14 08:13:36  e s        tcp    205.167.120.201.14084     ->     142.58.211.125.80            9        8         1112         4999   FIN

	in theory these two should be identical (although at this point its
unclear if this is an argus or client issue). It looks like we are clear of
endian issues at this time, but I guess I'll have to manually edit the s in
to the ppc output and continue the compare to be sure :-). It may be an 
argus issue because I'd expect the two argus files to be identical and they
are not:

-rw-r--r-- 1 vanepp users 36836072 2007-05-14 16:01 both.intel.argus
-rw-r--r-- 1 vanepp users 36836008 2007-05-14 12:59 both.ppc.argus

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list