Some problems (bugs?) with argus

Martijn van Oosterhout kleptog at gmail.com
Fri Aug 7 05:49:54 EDT 2009 

Hi,

I'm having some difficulties with argus 3.0.0. I'm wondering if people
have some ideas (maybe they're fixed already, but I can't find a
changelog anywhere):

1. Sometimes, argus outputs IP addresses in reverse order. So if the
flow is from a1.b1.c1.d1 to a1.b2.c2.d2, the actual flow record from
argus displays as

d1.c1.b1.a1 -> d2.c2.b2.a1

Personally, I've started at the code a bit and can't work out how it
could possibly happen. So far I've not been able to extract a PCAP
that reproduces it, but it happens maybe a few times in weeks of heavy
traffic.

03 Aug 09 08:35:52  e    f    tcp       21.33.xx.yy *         ->
20.145.xx.yy *             1       1434   INT
03 Aug 09 08:50:07  e    f    tcp       21.33.xx.yy *         ->
31.134.xx.yy *             1       1434   INT

So they're not complete flows, but they're odd nontheless. The TCP
port number is missing also. Has anyone seen this?

2. If a TCP session is missing the initial SYN packet then the argus
flow registers as being the wrong way round. For stats this is kind of
annoying as servers appear as clients. It happens also if a RST or FIN
shortly preceeds the SYN.

I thought I could fix this by checking ARGUS_REVERSE of the flow
whenever a SYN packet comes past in ArgusTcp.c, but I'm having
difficulty determing exactly how to change it. I'm getting lost in the
DSRS and working out which direction the SYN is actually going. Can
anyone help here?

3. Finally, a simple one: when you do a bpf match for "syn" on the
commandline it also matches flows with synack, which for my purpose is
undesireable. I fixed this with the patch

--- common/grammar.y    2008-03-20 04:29:14.000000000 +0100
+++ common/grammar.y.patched    2009-07-30 13:49:36.000000000 +0200
@@ -306,6 +306,7 @@
        | SVC                   { $$ = Q_SVC; }
         | NORMAL               { $$ = Q_NORMAL; }
         | WAIT                 { $$ = Q_WAIT; }
+        | SYN                  { $$ = Q_SYN; }
        | SYNACK                { $$ = Q_SYNACK; }
        | FINACK                { $$ = Q_FINACK; }
        | ESTABLISHED           { $$ = Q_ESTABLISHED; }

Seems simple enough for me, what do you think?

Thanks in advance,
-- 
Martijn van Oosterhout <kleptog at gmail.com> http://svana.org/kleptog/

More information about the argus mailing list