ranonymize question

Peter Van Epp vanepp at sfu.ca
Tue Jun 24 15:44:27 EDT 2008 

	Before I reinvent the wheel (although I don't think that will be the 
case), a question on ranoymize. I have a 50 hour pcap data capture (the 
CAIDA ditl experiment) and I'm comparing our DNS servers in the larger capture
with argus from our border to assess how bad the packet loss was (non DAG 
cards so there will have been loss, currently looks like maybe the %10 level
although one calculation came up with %34 loss). When (or perhaps if, although 
it somewhat works now :-)) I get that working I'll publish the perl that does 
it as I expect it may be more generally useful. 
	However as part of this I'd like to be able to publish the anonymized 
argus data so that others could assess the accuracy of the loss calculations.
The two argi saw the same data a couple of hops apart in the network, 
production argus on my border is a sensor and separate capture box setup and 
the ditl capture was tcpdump writing to local disk (known to cause packet loss).
Feeding the appropriate part of the pcap to argus gets two argus files of 
supposedly the same data modulo packet loss and it should be possible to 
extract loss from the two files (not easy because of flow combination and 
different reporting intervals and hourly file boundaries, but possible :-)). 
	Both sets of data are rotated on an hourly basis, so what I want from
ranonymize is to be able to pass ranonymize state from hour to hour: i.e 
first hour first data run just start ranonyize with selected anonymize 
parameters. At the end of the data file during argus shutdown dump the current 
anonymization map to a file and let the next ranonymize read that it to seed 
the anonymization (and add any new IPs it finds as normal). On the second 
capture, the last anonymization state of the first capture would be the 
initial seed so the anonymization is constant across both files (needed to 
detect loss). I don't think this is currently present (but would be happy to 
hear that it is and I just don't see it in the option list :-)) but I don't 
think it should be too hard to add either. 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list