[Bug] filter problem

Nick Diel nick at engineerity.com
Sat Jun 7 15:15:55 EDT 2008 

Carter,

Below is the byte code for the filter.  I think the problem may relate to
the keyword reset.  We were having a problem getting the keyword reset to
capture all flows that had a reset in them, and you made some changes and
the keyword reset by itself worked correctly.  Now I am thinking reset with
certain combinations is producing the same problem as we were working on in
the past.

ra -b - dst port 25 and reset
(000) ldh      [194]
(001) jeq      #0x19            jt 2    jf 7
(002) ldb      [154]
(003) and      #31
(004) jeq      #0x2             jt 5    jf 7
(005) ldb      [191]
(006) jeq      #0x6             jt 28   jf 7
(007) ldh      [168]
(008) jeq      #0x19            jt 9    jf 14
(009) ldb      [154]
(010) and      #31
(011) jeq      #0x1             jt 12   jf 14
(012) ldb      [164]
(013) jeq      #0x6             jt 28   jf 14
(014) ldh      [194]
(015) jeq      #0x19            jt 16   jf 21
(016) ldb      [154]
(017) and      #31
(018) jeq      #0x2             jt 19   jf 21
(019) ldb      [191]
(020) jeq      #0x11            jt 28   jf 21
(021) ldh      [168]
(022) jeq      #0x19            jt 23   jf 32
(023) ldb      [154]
(024) and      #31
(025) jeq      #0x1             jt 26   jf 32
(026) ldb      [164]
(027) jeq      #0x11            jt 28   jf 32
(028) ldb      [482]
(029) and      #4
(030) jeq      #0x4             jt 31   jf 32
(031) ret      #96
(032) ret      #0


Nick

On Fri, Jun 6, 2008 at 1:55 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Nick,
> Be sure and run ra with the "-b" option and send that output.
> This will print the compiler byte code, so I can see what your
> particular machine is doing with the filter.  So,
>
>   ra -r argusFile -b - dst port 25 and reset
>
> Carter
>
>
> On Jun 6, 2008, at 12:55 PM, Nick Diel wrote:
>
>  The following filter (and different variations) doesn't filter correctly:
>> dst port 25 and reset
>>
>> Though splitting the filter up into two passes has the correct outcome.
>>
>> ra -r argusFile - dst port 25 and reset | wc -l
>> 6
>>
>> ra -r argusFile -w - - dst port 25 | ra -r - - reset | wc -l
>> 177
>>
>> Nick
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080607/2438b230/attachment.html>

More information about the argus mailing list