Printing Country Codes

Fri Jan 4 22:09:21 EST 2008

Carter,

With the provided patch ra is printing country codes correctly.  Ralabel 
is giving odd results when using "-nnn". 

ralabel -r mydump.argus -s +sco +dco

     http://ece.uprm.edu/~pablor/ralabel.out

ralabel -nnnr mydump.argus -s +sco +dco

     http://ece.uprm.edu/~pablor/ralabel-nnn.out

Files differ on lines 16, 20, 27, and 28.

Ratop isn't categorizing IPs properly.

     http://ece.uprm.edu/~pablor/ratop.out

I got the same results by compiling argus clients on Ubuntu, OpenBSD, 
and Solaris.  I'm using the following example dump file.

     http://ece.uprm.edu/~pablor/country_codes_test.tar.gz

Best regards,

Pablo J. Rebollo

Pablo J. Rebollo-Sosa wrote:
> Carter,
>
> Now Argus is able to associate networks correctly.  I'm using and old 
> Dell Precision 360 with a P4 3.2 GHz for testing.  I will perform more 
> tests over the weekend.
>
> Best regards,
>
> Pablo J. Rebollo
>
> Carter Bullard wrote:
>> Hey Pablo,
>> Here is a fix for our country code printing problem.  I suspect that 
>> you're
>> on a modern 64-bit machine (or 64-bit capable), as I saw this on my
>> Intel Duo Core whatever Linux RedHat machine.   Seems that there
>> is a really bizarre compiler bug dealing with bit shifting operators and
>> 32-bit values, at least thats what it looks like to me.
>>
>> Didn't see this problem on my G5 or earlier Intel machines.
>>
>> Replace the ./common/argus_client.c file with the one included in
>> this email, recompile and give it a try.   Lots of changes, and didn't
>> know if you were comfortable with patch.1.
>>
>> If its cool I'll put it up on the server today.
>>
>> Carter
>>
>>
>>
>>
>>
>>>>
>>>> On Dec 29, 2007, at 1:04 PM, Pablo.Rebollo at ece.uprm.edu wrote:
>>>>> Hi,
>>>>>
>>>>> I was testing country codes feature and found that isn't working 
>>>>> properly.
>>>>> Here is an example:
>>>>>
>>>>> root at nsm:~# ralabel -n -S localhost -T 1 -s sco dco saddr sport daddr
>>>>> dport - udp and port domain
>>>>> sCo dCo            SrcAddr  Sport            DstAddr  Dport
>>>>> EU  EU    136.145.115.194.48782        136.145.57.3.53
>>>>> EU  SE       136.145.57.3.35421      194.146.106.42.53
>>>>> EU           136.145.57.3.35421          137.39.1.3.53
>>>>> EU  PT       136.145.57.3.35421        193.136.7.17.53
>>>>> EU  NL       136.145.57.3.35421      193.239.90.130.53
>>>>> EU  RU       136.145.57.3.35421         194.67.57.4.53
>>>>> EU           136.145.57.3.35421      63.209.144.178.53
>>>>> FR  EU     193.252.149.16.32780        136.145.57.3.53
>>>>>    EU      216.40.221.10.1029         136.145.58.3.53
>>>>> ...
>>>>> ...
>>>>>
>>>>> I found the following:
>>>>>
>>>>> 1) Network 136.145.0.0/16 has been associated to EU and not to PR.
>>>>> 2) Network 137.39.0.0/16 hasn't been associated to US.
>>>>> 3) Network 63.208.0.0/13 hasn't been associated to US.
>>>>> 4) Network 216.40.192.0/18 hasn't been associated to US.
>>>>>
>>>>> I ran ragetcountrycodes.sh to generate a new delegated-ipv4-latest 
>>>>> file
>>>>> and got the same results.
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Pablo J. Rebollo
>>>>>
>>>>> ----
>>>>>> From delegated-ipv4-latest:
>>>>> delegated-arin-latest:arin|PR|ipv4|136.145.0.0|65536|19890829|assigned 
>>>>>
>>>>> delegated-arin-latest:arin|US|ipv4|137.39.0.0|65536|19891025|assigned
>>>>> delegated-arin-latest:arin|US|ipv4|63.208.0.0|524288|19990528|allocated 
>>>>>
>>>>> delegated-arin-latest:arin|US|ipv4|216.40.192.0|16384|20001005|allocated 
>>>>>
>>>>>
>>>>>
>>>