Printing Country Codes

Carter Bullard carter at qosient.com
Thu Jan 10 07:24:00 EST 2008 

Ralabel does a lot to try to "correct" country codes, if it is configured to convert the addresses to FQDN (fully qualified domain names).  The assumpton is the FQDN is more correct if the last part of the FQDN is a valid 2 character country code.
If you think there are errors there, please advise.

Be sure and use an "- ip" filter with your ralabel() call.  Non-ip traffic can confuse the aggregator.

Are we missing all of Africa?  I thought we were picking it up in one of the other files?

Carter


Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

-----Original Message-----
From: Pablo.Rebollo at ece.uprm.edu

Date: Tue, 8 Jan 2008 19:38:39 
To:"Carter Bullard" <carter at qosient.com>
Cc:"Pablo J. Rebollo" <pablo.rebollo at ece.uprm.edu>,"Argus" <argus-info at lists.andrew.cmu.edu>
Subject: Re: [ARGUS] Printing Country Codes


Carter,

I still having problems when using ralabel with "-nnn".  There is another
problem when using racluster to aggregate by country codes.

ralabel -r mydump.argus -w - | racluster -m sco

StartTime    Flgs  Proto            SrcAddr  Sport   Dir           
DstAddr  Dport  TotPkts   TotBytes State
08:03:57.233336  e          ip            0.0.0.0          <->           
0.0.0.0             100      14938   CON

Finally, I noticed that AfriNIC is not included into ragetcountrycodes.sh
script.

Best regards,

Pablo J. Rebollo

> Hey Pablo,
> I have made some changes that should fix these problems.
> I've uploaded the new client code, but I didn't change the version
> number yet, so if you would get the current rc.67 client distribution
> and see if it does the right thing?
>
> Thanks for all the help!!!!!!
>
> Carter
>
>
> On Jan 4, 2008, at 10:09 PM, Pablo J. Rebollo wrote:
>
>> Carter,
>>
>> With the provided patch ra is printing country codes correctly.
>> Ralabel is giving odd results when using "-nnn".
>> ralabel -r mydump.argus -s +sco +dco
>>
>>    http://ece.uprm.edu/~pablor/ralabel.out
>>
>> ralabel -nnnr mydump.argus -s +sco +dco
>>
>>    http://ece.uprm.edu/~pablor/ralabel-nnn.out
>>
>> Files differ on lines 16, 20, 27, and 28.
>>
>> Ratop isn't categorizing IPs properly.
>>
>>    http://ece.uprm.edu/~pablor/ratop.out
>>
>> I got the same results by compiling argus clients on Ubuntu,
>> OpenBSD, and Solaris.  I'm using the following example dump file.
>>
>>    http://ece.uprm.edu/~pablor/country_codes_test.tar.gz
>>
>> Best regards,
>>
>> Pablo J. Rebollo
>>
>>
>> Pablo J. Rebollo-Sosa wrote:
>>> Carter,
>>>
>>> Now Argus is able to associate networks correctly.  I'm using and
>>> old Dell Precision 360 with a P4 3.2 GHz for testing.  I will
>>> perform more tests over the weekend.
>>>
>>> Best regards,
>>>
>>> Pablo J. Rebollo
>>>
>>> Carter Bullard wrote:
>>>> Hey Pablo,
>>>> Here is a fix for our country code printing problem.  I suspect
>>>> that you're
>>>> on a modern 64-bit machine (or 64-bit capable), as I saw this on my
>>>> Intel Duo Core whatever Linux RedHat machine.   Seems that there
>>>> is a really bizarre compiler bug dealing with bit shifting
>>>> operators and
>>>> 32-bit values, at least thats what it looks like to me.
>>>>
>>>> Didn't see this problem on my G5 or earlier Intel machines.
>>>>
>>>> Replace the ./common/argus_client.c file with the one included in
>>>> this email, recompile and give it a try.   Lots of changes, and
>>>> didn't
>>>> know if you were comfortable with patch.1.
>>>>
>>>> If its cool I'll put it up on the server today.
>>>>
>>>> Carter
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>
>>>>>> On Dec 29, 2007, at 1:04 PM, Pablo.Rebollo at ece.uprm.edu wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I was testing country codes feature and found that isn't
>>>>>>> working properly.
>>>>>>> Here is an example:
>>>>>>>
>>>>>>> root at nsm:~# ralabel -n -S localhost -T 1 -s sco dco saddr sport
>>>>>>> daddr
>>>>>>> dport - udp and port domain
>>>>>>> sCo dCo            SrcAddr  Sport            DstAddr  Dport
>>>>>>> EU  EU    136.145.115.194.48782        136.145.57.3.53
>>>>>>> EU  SE       136.145.57.3.35421      194.146.106.42.53
>>>>>>> EU           136.145.57.3.35421          137.39.1.3.53
>>>>>>> EU  PT       136.145.57.3.35421        193.136.7.17.53
>>>>>>> EU  NL       136.145.57.3.35421      193.239.90.130.53
>>>>>>> EU  RU       136.145.57.3.35421         194.67.57.4.53
>>>>>>> EU           136.145.57.3.35421      63.209.144.178.53
>>>>>>> FR  EU     193.252.149.16.32780        136.145.57.3.53
>>>>>>>   EU      216.40.221.10.1029         136.145.58.3.53
>>>>>>> ...
>>>>>>> ...
>>>>>>>
>>>>>>> I found the following:
>>>>>>>
>>>>>>> 1) Network 136.145.0.0/16 has been associated to EU and not to
>>>>>>> PR.
>>>>>>> 2) Network 137.39.0.0/16 hasn't been associated to US.
>>>>>>> 3) Network 63.208.0.0/13 hasn't been associated to US.
>>>>>>> 4) Network 216.40.192.0/18 hasn't been associated to US.
>>>>>>>
>>>>>>> I ran ragetcountrycodes.sh to generate a new delegated-ipv4-
>>>>>>> latest file
>>>>>>> and got the same results.
>>>>>>>
>>>>>>> Best regards,
>>>>>>>
>>>>>>> Pablo J. Rebollo
>>>>>>>
>>>>>>> ----
>>>>>>>> From delegated-ipv4-latest:
>>>>>>> delegated-arin-latest:arin|PR|ipv4|136.145.0.0|65536|19890829|
>>>>>>> assigned
>>>>>>> delegated-arin-latest:arin|US|ipv4|137.39.0.0|65536|19891025|
>>>>>>> assigned
>>>>>>> delegated-arin-latest:arin|US|ipv4|63.208.0.0|524288|19990528|
>>>>>>> allocated
>>>>>>> delegated-arin-latest:arin|US|ipv4|216.40.192.0|16384|20001005|
>>>>>>> allocated
>>>>>>>
>>>>>>>
>>>>>
>>
>>
>

More information about the argus mailing list