Argus handling of bad checksums?

Peter Van Epp vanepp at sfu.ca
Wed Aug 12 23:58:41 EDT 2009 

	I suspect the right (but possibly difficult) answer is to fix the 
anonymization program to write correct checksums in the anonimized data.
Vern Paxton has a policy driven anonymization tool although I can't find a
reference in a quick search (and I don't know if it corrects the checksums
but I expect it will).
	If (as it appears) you have unanonymized and anonymized pcap files
feed both of them to wireshark and compare the outputs. I'd expect wireshark
to have similar problems to argus with bad header lengths and the hex dumps
of the packet streams should tell you where the errors are. That may point to
a problem with the anonymization program. 
	In the general case of checksum errors, I expect the only place it 
can be done is on the ethernet card. Argus doesn't get the complete packet 
and thus can only check the header checksums not the data check sum. I don't
think bpf passes crc error information with the pcap data (although I could
be wrong).

Peter Van Epp

On Wed, Aug 12, 2009 at 10:38:37PM -0400, Carter Bullard wrote:
> Hey Steven,
> I suspect that the packet header lengths are incorrect, and that is  
> causing argus
> some problems.  Send me a copy of the anonymized file, and I'll try to  
> figure
> out what is going on.  Upload to ftp://qosient.com/incoming.
>
> Carter
>
> On Aug 12, 2009, at 6:46 PM, Steven DiBenedetto wrote:
>
>> We know for sure that we have large number of packets with bad  
>> checksums caused by an anonymizating tool we use to capture traffic.  
>> In this case, we have a trace in the libpcap format which we are  
>> feeding through Argus for processing.
>>
>> Recently, we have discovered Argus produces different results when  
>> given a normal pcap trace and its anonymized counterpart. Some packets 
>> seem to be missing in the argus file generated by anonymized trace 
>> generated by racount. We are currently running argus-3.0.1.beta.3 and 
>> argus-clients-3.0.2.beta.10.
>>
>> Here's an example comparison with Argus:
>>
>> $ argus -S 1000 -r checksum_test.pcap -w checksum_test.argus
>>
>> $ argus -S 1000 -r anon_checksum_test.pcap -w anon_checksum_test.argus
>>
>> argus[13711]: 12 Aug 09 16:32:54.547458 ArgusNewFlow() flow key is not 
>> correct len equals zero
>> argus[13711]: 12 Aug 09 16:32:54.584273 ArgusNewFlow() flow key is not 
>> correct len equals zero
>> argus[13711]: 12 Aug 09 16:32:54.584438 ArgusNewFlow() flow key is not 
>> correct len equals zero
>>
>>
>> $ racount -r checksum_test.argus
>>
>> racount   records     total_pkts     src_pkts       dst_pkts  
>> total_bytes       		src_bytes          dst_bytes
>> sum	24386       200000         137572         62428		177236752          
>> 170786494          6450258
>>
>> $ racount -r anon_checksum_test.argus
>>
>> racount   records     total_pkts     src_pkts       dst_pkts  
>> total_bytes        src_bytes          dst_bytes
>> sum   	24382       199994         137568         62426 177236392        
>>   170786254          6450138
>>
>>
>> Also, the actual number of packets in the example trace is exactly  
>> 100,000 despite it showing up as twice that in total packets count.
>>
>> -Steve
>>
>> On Aug 12, 2009, at 3:33 PM, Carter Bullard wrote:
>>
>>> Hey Steven,
>>> Currently we don't check for bad checksum's.  It is such a rare  
>>> event and expensive
>>> to check. Do you think you're getting bad checksums?
>>>
>>> Carter
>>>
>>> On Aug 12, 2009, at 4:40 PM, Steven DiBenedetto wrote:
>>>
>>>> Hi Carter,
>>>>
>>>> How does Argus handle packets with a bad IP checksum?
>>>>
>>>> -Steve
>>>>
>>>
>>
>>
>

More information about the argus mailing list