new code on the server

Carter Bullard carter at qosient.com
Mon May 14 23:11:11 EDT 2007 

Hey Peter,
Well, the drop indication flag for TCP is in a 32-bit tcp status  
value, so it could
be a little endian issue in the ArgusTcpObject.  For those specific  
records,
does the sloss field have any numbers in them?

Carter


On May 14, 2007, at 7:04 PM, Peter Van Epp wrote:

> 	I tcpdumped a bit less than an hour (and a bit less than 2 gigs :-)
> full duplex tcpdump file for testing on intel and ppc (for endian  
> issues).
> It looks like two file processing (i.e. argus -r eth2 -r eth3)  
> doesn't match
> the output from a single tcpdump file merged with tcpmerge (which  
> is why less
> than 2 gigs input files :-)). I'll see if I can get time to create  
> a releasable
> test file for that one.
> 	As well there looks to be a difference in port lists between the two
> architectures (due to forgetting to put the -n on the ra command):
>
> both.ppc.ra.out
>
> 07-05-14 08:09:00  e          udp      206.12.16.133.43003     - 
> >      129.240.67.15.43003         1        0           
> 912            0   INT
> 07-05-14 08:09:00  e s        tcp      206.12.16.134.ndl-aa    - 
> >     198.32.154.186.46133         4        3          272           
> 222   FIN
> 07-05-14 08:09:00  e         icmp     217.153.194.26           - 
> >      206.12.16.134               5        0           
> 350            0   URH
>
> both.intel.ra.out  (FreeBSD leaves ndl-aa as port 3128 for some  
> reason):
>
> 07-05-14 08:09:00  e          udp      206.12.16.133.43003     - 
> >      129.240.67.15.43003         1        0           
> 912            0   INT
> 07-05-14 08:09:00  e s        tcp      206.12.16.134.3128      - 
> >     198.32.154.186.46133         4        3          272           
> 222   FIN
>
> although it still breaks with the -n added (just much later :-)):
>
> both.ppc.ra.out:
>
> 07-05-14 08:13:36  e          tcp    205.167.120.201.14084     - 
> >     142.58.211.125.80            9        8         1112          
> 4999   FIN
>
> both.intel.ra.out:  (flags has an s that the other doesn't)
>
> 07-05-14 08:13:36  e s        tcp    205.167.120.201.14084     - 
> >     142.58.211.125.80            9        8         1112          
> 4999   FIN
>
> 	in theory these two should be identical (although at this point its
> unclear if this is an argus or client issue). It looks like we are  
> clear of
> endian issues at this time, but I guess I'll have to manually edit  
> the s in
> to the ppc output and continue the compare to be sure :-). It may  
> be an
> argus issue because I'd expect the two argus files to be identical  
> and they
> are not:
>
> -rw-r--r-- 1 vanepp users 36836072 2007-05-14 16:01 both.intel.argus
> -rw-r--r-- 1 vanepp users 36836008 2007-05-14 12:59 both.ppc.argus
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>

Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070514/e9033588/attachment.html>

More information about the argus mailing list