Argus handling of bad checksums?

Carter Bullard carter at qosient.com
Wed Aug 12 22:38:37 EDT 2009 

Hey Steven,
I suspect that the packet header lengths are incorrect, and that is  
causing argus
some problems.  Send me a copy of the anonymized file, and I'll try to  
figure
out what is going on.  Upload to ftp://qosient.com/incoming.

Carter

On Aug 12, 2009, at 6:46 PM, Steven DiBenedetto wrote:

> We know for sure that we have large number of packets with bad  
> checksums caused by an anonymizating tool we use to capture traffic.  
> In this case, we have a trace in the libpcap format which we are  
> feeding through Argus for processing.
>
> Recently, we have discovered Argus produces different results when  
> given a normal pcap trace and its anonymized counterpart. Some  
> packets seem to be missing in the argus file generated by anonymized  
> trace generated by racount. We are currently running  
> argus-3.0.1.beta.3 and argus-clients-3.0.2.beta.10.
>
> Here's an example comparison with Argus:
>
> $ argus -S 1000 -r checksum_test.pcap -w checksum_test.argus
>
> $ argus -S 1000 -r anon_checksum_test.pcap -w anon_checksum_test.argus
>
> argus[13711]: 12 Aug 09 16:32:54.547458 ArgusNewFlow() flow key is  
> not correct len equals zero
> argus[13711]: 12 Aug 09 16:32:54.584273 ArgusNewFlow() flow key is  
> not correct len equals zero
> argus[13711]: 12 Aug 09 16:32:54.584438 ArgusNewFlow() flow key is  
> not correct len equals zero
>
>
> $ racount -r checksum_test.argus
>
> racount   records     total_pkts     src_pkts       dst_pkts  
> total_bytes       		src_bytes          dst_bytes
> sum	24386       200000         137572         62428		 
> 177236752          170786494          6450258
>
> $ racount -r anon_checksum_test.argus
>
> racount   records     total_pkts     src_pkts       dst_pkts  
> total_bytes        src_bytes          dst_bytes
> sum   	24382       199994         137568         62426  
> 177236392          170786254          6450138
>
>
> Also, the actual number of packets in the example trace is exactly  
> 100,000 despite it showing up as twice that in total packets count.
>
> -Steve
>
> On Aug 12, 2009, at 3:33 PM, Carter Bullard wrote:
>
>> Hey Steven,
>> Currently we don't check for bad checksum's.  It is such a rare  
>> event and expensive
>> to check. Do you think you're getting bad checksums?
>>
>> Carter
>>
>> On Aug 12, 2009, at 4:40 PM, Steven DiBenedetto wrote:
>>
>>> Hi Carter,
>>>
>>> How does Argus handle packets with a bad IP checksum?
>>>
>>> -Steve
>>>
>>
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090812/934fd0db/attachment.bin>

More information about the argus mailing list