Printing Country Codes

Tue Jan 8 18:38:39 EST 2008

Carter,

I still having problems when using ralabel with "-nnn".  There is another
problem when using racluster to aggregate by country codes.

ralabel -r mydump.argus -w - | racluster -m sco

StartTime    Flgs  Proto            SrcAddr  Sport   Dir           
DstAddr  Dport  TotPkts   TotBytes State
08:03:57.233336  e          ip            0.0.0.0          <->           
0.0.0.0             100      14938   CON

Finally, I noticed that AfriNIC is not included into ragetcountrycodes.sh
script.

Best regards,

Pablo J. Rebollo

> Hey Pablo,
> I have made some changes that should fix these problems.
> I've uploaded the new client code, but I didn't change the version
> number yet, so if you would get the current rc.67 client distribution
> and see if it does the right thing?
>
> Thanks for all the help!!!!!!
>
> Carter
>
>
> On Jan 4, 2008, at 10:09 PM, Pablo J. Rebollo wrote:
>
>> Carter,
>>
>> With the provided patch ra is printing country codes correctly.
>> Ralabel is giving odd results when using "-nnn".
>> ralabel -r mydump.argus -s +sco +dco
>>
>>    http://ece.uprm.edu/~pablor/ralabel.out
>>
>> ralabel -nnnr mydump.argus -s +sco +dco
>>
>>    http://ece.uprm.edu/~pablor/ralabel-nnn.out
>>
>> Files differ on lines 16, 20, 27, and 28.
>>
>> Ratop isn't categorizing IPs properly.
>>
>>    http://ece.uprm.edu/~pablor/ratop.out
>>
>> I got the same results by compiling argus clients on Ubuntu,
>> OpenBSD, and Solaris.  I'm using the following example dump file.
>>
>>    http://ece.uprm.edu/~pablor/country_codes_test.tar.gz
>>
>> Best regards,
>>
>> Pablo J. Rebollo
>>
>>
>> Pablo J. Rebollo-Sosa wrote:
>>> Carter,
>>>
>>> Now Argus is able to associate networks correctly.  I'm using and
>>> old Dell Precision 360 with a P4 3.2 GHz for testing.  I will
>>> perform more tests over the weekend.
>>>
>>> Best regards,
>>>
>>> Pablo J. Rebollo
>>>
>>> Carter Bullard wrote:
>>>> Hey Pablo,
>>>> Here is a fix for our country code printing problem.  I suspect
>>>> that you're
>>>> on a modern 64-bit machine (or 64-bit capable), as I saw this on my
>>>> Intel Duo Core whatever Linux RedHat machine.   Seems that there
>>>> is a really bizarre compiler bug dealing with bit shifting
>>>> operators and
>>>> 32-bit values, at least thats what it looks like to me.
>>>>
>>>> Didn't see this problem on my G5 or earlier Intel machines.
>>>>
>>>> Replace the ./common/argus_client.c file with the one included in
>>>> this email, recompile and give it a try.   Lots of changes, and
>>>> didn't
>>>> know if you were comfortable with patch.1.
>>>>
>>>> If its cool I'll put it up on the server today.
>>>>
>>>> Carter
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>
>>>>>> On Dec 29, 2007, at 1:04 PM, Pablo.Rebollo at ece.uprm.edu wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I was testing country codes feature and found that isn't
>>>>>>> working properly.
>>>>>>> Here is an example:
>>>>>>>
>>>>>>> root at nsm:~# ralabel -n -S localhost -T 1 -s sco dco saddr sport
>>>>>>> daddr
>>>>>>> dport - udp and port domain
>>>>>>> sCo dCo            SrcAddr  Sport            DstAddr  Dport
>>>>>>> EU  EU    136.145.115.194.48782        136.145.57.3.53
>>>>>>> EU  SE       136.145.57.3.35421      194.146.106.42.53
>>>>>>> EU           136.145.57.3.35421          137.39.1.3.53
>>>>>>> EU  PT       136.145.57.3.35421        193.136.7.17.53
>>>>>>> EU  NL       136.145.57.3.35421      193.239.90.130.53
>>>>>>> EU  RU       136.145.57.3.35421         194.67.57.4.53
>>>>>>> EU           136.145.57.3.35421      63.209.144.178.53
>>>>>>> FR  EU     193.252.149.16.32780        136.145.57.3.53
>>>>>>>   EU      216.40.221.10.1029         136.145.58.3.53
>>>>>>> ...
>>>>>>> ...
>>>>>>>
>>>>>>> I found the following:
>>>>>>>
>>>>>>> 1) Network 136.145.0.0/16 has been associated to EU and not to
>>>>>>> PR.
>>>>>>> 2) Network 137.39.0.0/16 hasn't been associated to US.
>>>>>>> 3) Network 63.208.0.0/13 hasn't been associated to US.
>>>>>>> 4) Network 216.40.192.0/18 hasn't been associated to US.
>>>>>>>
>>>>>>> I ran ragetcountrycodes.sh to generate a new delegated-ipv4-
>>>>>>> latest file
>>>>>>> and got the same results.
>>>>>>>
>>>>>>> Best regards,
>>>>>>>
>>>>>>> Pablo J. Rebollo
>>>>>>>
>>>>>>> ----
>>>>>>>> From delegated-ipv4-latest:
>>>>>>> delegated-arin-latest:arin|PR|ipv4|136.145.0.0|65536|19890829|
>>>>>>> assigned
>>>>>>> delegated-arin-latest:arin|US|ipv4|137.39.0.0|65536|19891025|
>>>>>>> assigned
>>>>>>> delegated-arin-latest:arin|US|ipv4|63.208.0.0|524288|19990528|
>>>>>>> allocated
>>>>>>> delegated-arin-latest:arin|US|ipv4|216.40.192.0|16384|20001005|
>>>>>>> allocated
>>>>>>>
>>>>>>>
>>>>>
>>
>>
>