Time Issue on OpenBSD 4.2 with rc.69 (Was: Re: Sparc64 OpenBSD4.1 Compile issue)
Carter Bullard
carter at qosient.com
Mon Feb 11 16:02:26 EST 2008
So argus creates a socket using these hints:
ai_family = PF_UNSPEC
ai_socktype = SOCK_STREAM
ai_flags = AI_PASSIVE
and we open the first thing we get, which comes up as IPv6, in some
cases.
I suspect that we should open all the address families that are
returned,
rather than just the first one. So any problem with having a listen
down on
both IPv4 and IPv6?
I'll add that now.
Any chance you could test the Solaris machines you have? If you have
a native Solaris compiler, try "./configure --without-gcc" to get it
to go with
cc.
Carter
On Feb 11, 2008, at 3:22 PM, Peter Van Epp wrote:
> Rather than reinvent the wheel (and/or read the email chain :-)) did
> you have to do something to IP V6 to make argus work? My argus seems
> to only
> open an IP V6 listener not V4 and ra on FreeBSD gets connection
> refused.
> My first thought was firewall but that seems to be already disabled
> and the
> problem is no V4 listener:
>
> Active Internet connections (including servers)
> Proto Recv-Q Send-Q Local Address Foreign Address
> (state)
> tcp 0 0 test5.ssh test4.50010
> ESTABLISHED
> tcp 0 0 test5.ssh test4.49962
> ESTABLISHED
> tcp 0 0 localhost.submissi *.*
> LISTEN
> tcp 0 0 localhost.smtp *.*
> LISTEN
> tcp 0 0 *.ssh *.*
> LISTEN
> tcp 0 0 *.time *.*
> LISTEN
> tcp 0 0 *.daytime *.*
> LISTEN
> tcp 0 0 *.auth *.*
> LISTEN
> Active Internet connections (including servers)
> Proto Recv-Q Send-Q Local Address Foreign Address
> (state)
> tcp6 0 0 *.560 *.*
> LISTEN
> ...
>
> Unfortunatly we only have Solaris on any of the 64 bit Suns but I
> have
> Suse on 64 bit machines.
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
>
> On Mon, Feb 11, 2008 at 02:12:50PM -0600, Eric Pancer wrote:
>> On Mon, 2008-02-11 at 11:46:19 -0800, Peter Van Epp proclaimed...
>>
>>> Local seems to work fine which may point to the socket code:
>>>
>>> # argus -d -i rl0 -w test.argus
>>> # ra -r test.argus -n
>>
>> [snip]
>>
>>> time is wrong but thats the machine :-) and I don't have Eric's
>>> patches in so
>>> ratop didn't build (but ra appears to have).
>>>
>>
>> Yes, we have good time from the file here too! (i386)
>>
>> ra -nr foo.cap <
>> 2008-02-11 14:08:1 * llc 0:d:29:4b:c:26.66 ->
>> 1:80:c2:0:0:0.66 60 3720 INT
>> 2008-02-11 14:08:2 e tcp 10.154.223.177.22 <?>
>> 10.154.223.223.3737 24 2520 CON
>> 2008-02-11 14:08:2 e d tcp 10.154.223.223.2324 <?>
>> 10.154.223.177.22 408 43104 CON
>> 2008-02-11 14:08:2 e udp 10.154.223.3.1985 ->
>> 224.0.0.2.1985 13 806 INT
>> 2008-02-11 14:08:2 e udp 10.154.223.2.1985 ->
>> 224.0.0.2.1985 13 806 INT
>> 2008-02-11 14:08:2 * udp 10.154.198.3.1985 ->
>> 224.0.0.2.1985 14 924 INT
>> 2008-02-11 14:08:2 * udp 10.154.198.2.1985 ->
>> 224.0.0.2.1985 14 924 INT
>> 2008-02-11 14:08:2 e tcp 10.154.223.177.18056 <?>
>> 10.152.23.39.80 4 264 FIN
>> 2008-02-11 14:08:2 e tcp 10.154.223.177.9491 <?>
>> 10.152.23.39.80 4 264 FIN
>> 2008-02-11 14:08:2 * arp 10.154.198.3 who
>> 10.154.198.16 9 576 INT
>> 2008-02-11 14:08:3 e tcp 10.154.223.177.18368 <?>
>> 10.154.215.170.80 4 264 FIN
>> 2008-02-11 14:08:3 e tcp 10.154.223.177.1491 <?>
>> 10.154.215.170.80 4 264 FIN
>> 2008-02-11 14:08:3 e d tcp 10.154.223.177.26935 ->
>> 10.154.215.170.80 43 23269 FIN
>> 2008-02-11 14:08:3 e udp 10.154.223.177.20331 <->
>> 10.152.23.12.53 2 221 CON
>> 2008-02-11 14:08:3 e udp 10.154.223.177.33705 <->
>> 10.152.23.12.53 2 335 CON
>> 2008-02-11 14:08:3 e d tcp 10.154.223.177.35005 ->
>> 10.154.215.170.80 23 12253 FIN
>> 2008-02-11 14:08:3 e d tcp 10.154.223.177.25924 ->
>>
>>
>> How about sparc64?
>>
>> $ date
>> Mon Feb 11 14:10:30 CST 2008
>> $ ra -nr foo.cap
>> 1970-01-08 01:18:2 e tcp 10.154.223.223.3953 ?>
>> 10.154.223.28.22 1 60 CON
>> 1970-01-10 02:52:1 * llc 0:d:29:4b:c:25.66 ->
>> 1:80:c2:0:0:0.66 1 60 INT
>> 1970-01-10 04:43:0 e tcp 10.154.223.223.3953 ?>
>> 10.154.223.28.22 1 106 CON
>> 1970-01-10 04:56:2 e tcp 10.154.223.28.22 ?>
>> 10.154.223.223.3953 1 106 CON
>> 1970-01-11 14:44:3 e tcp 10.154.223.223.3953 ?>
>> 10.154.223.28.22 1 60 CON
>> 1970-01-01 02:55:5 e tcp 10.154.223.223.3953 ?>
>> 10.154.223.28.22 1 106 CON
>> 1970-01-01 03:08:2 e tcp 10.154.223.28.22 ?>
>> 10.154.223.223.3953 1 106 CON
>> 1970-01-01 03:12:0 e tcp 10.154.223.28.22 ?>
>> 10.154.223.223.3953 1 106 CON
>> 1970-01-01 03:15:3 e tcp 10.154.223.223.3953 ?>
>> 10.154.223.28.22 1 60 CON
>> 1970-01-01 19:18:1 e udp 10.154.223.2.1985 ->
>> 224.0.0.2.1985 1 62 INT
>> 1970-01-02 21:08:4 e tcp 10.154.223.223.3953 ?>
>> 10.154.223.28.22 1 106 CON
>> 1970-01-02 21:21:5 e tcp 10.154.223.28.22 ?>
>> 10.154.223.223.3953 1 106 CON
>> 1970-01-02 21:25:2 e tcp 10.154.223.28.22 ?>
>> 10.154.223.223.3953 1 106 CON
>> 1970-01-02 21:28:4 e tcp 10.154.223.223.3953 ?>
>> 10.154.223.28.22 1 60 CON
>> 1970-01-04 10:54:3 e tcp 10.154.223.223.3953 ?>
>> 10.154.223.28.22 1 106 CON
>> 1970-01-04 11:07:1 e tcp 10.154.223.28.22 ?>
>> 10.154.223.223.3953 1 106 CON
>> 1970-01-04 11:10:4 e tcp 10.154.223.28.22 ?>
>> 10.154.223.223.3953 1 106 CON
>> 1970-01-04 11:13:5 e tcp 10.154.223.223.3953 ?>
>> 10.154.223.28.22 1 60 CON
>>
>> Damn, no go there.
>>
>> So, taking flows from a file on i386 gives good time, but using
>> sockets to
>> i386 or sparc64 doesn't work. Taking flows from a file on sparc64
>> doesn't
>> give good time, nor does it in taking flows from i386 or sparc64.
>>
>> - Eric
>
More information about the argus
mailing list