Argus handling of bad checksums?
Steven DiBenedetto
dibenede at CS.ColoState.EDU
Wed Aug 12 18:46:50 EDT 2009
We know for sure that we have large number of packets with bad
checksums caused by an anonymizating tool we use to capture traffic.
In this case, we have a trace in the libpcap format which we are
feeding through Argus for processing.
Recently, we have discovered Argus produces different results when
given a normal pcap trace and its anonymized counterpart. Some packets
seem to be missing in the argus file generated by anonymized trace
generated by racount. We are currently running argus-3.0.1.beta.3 and
argus-clients-3.0.2.beta.10.
Here's an example comparison with Argus:
$ argus -S 1000 -r checksum_test.pcap -w checksum_test.argus
$ argus -S 1000 -r anon_checksum_test.pcap -w anon_checksum_test.argus
argus[13711]: 12 Aug 09 16:32:54.547458 ArgusNewFlow() flow key is not
correct len equals zero
argus[13711]: 12 Aug 09 16:32:54.584273 ArgusNewFlow() flow key is not
correct len equals zero
argus[13711]: 12 Aug 09 16:32:54.584438 ArgusNewFlow() flow key is not
correct len equals zero
$ racount -r checksum_test.argus
racount records total_pkts src_pkts dst_pkts
total_bytes src_bytes dst_bytes
sum 24386 200000 137572 62428
177236752 170786494 6450258
$ racount -r anon_checksum_test.argus
racount records total_pkts src_pkts dst_pkts
total_bytes src_bytes dst_bytes
sum 24382 199994 137568 62426
177236392 170786254 6450138
Also, the actual number of packets in the example trace is exactly
100,000 despite it showing up as twice that in total packets count.
-Steve
On Aug 12, 2009, at 3:33 PM, Carter Bullard wrote:
> Hey Steven,
> Currently we don't check for bad checksum's. It is such a rare
> event and expensive
> to check. Do you think you're getting bad checksums?
>
> Carter
>
> On Aug 12, 2009, at 4:40 PM, Steven DiBenedetto wrote:
>
>> Hi Carter,
>>
>> How does Argus handle packets with a bad IP checksum?
>>
>> -Steve
>>
>
More information about the argus
mailing list