Argus handling of bad checksums?

carter at qosient.com carter at qosient.com
Mon Sep 28 08:14:35 EDT 2009


Hey Steven,
Grab the 3.0.2 code from the web site and we'll use that as a starting point.  This issue with treating anonymized packets differently has come up before.
If you can share the anon packet file, I'll try to figure it out.
Carter
Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: Steven DiBenedetto <dibenede at CS.ColoState.EDU>

Date: Wed, 12 Aug 2009 16:46:50 
To: <argus-info at lists.andrew.cmu.edu>
Subject: Re: [ARGUS] Argus handling of bad checksums?


We know for sure that we have large number of packets with bad  
checksums caused by an anonymizating tool we use to capture traffic.  
In this case, we have a trace in the libpcap format which we are  
feeding through Argus for processing.

Recently, we have discovered Argus produces different results when  
given a normal pcap trace and its anonymized counterpart. Some packets  
seem to be missing in the argus file generated by anonymized trace  
generated by racount. We are currently running argus-3.0.1.beta.3 and  
argus-clients-3.0.2.beta.10.

Here's an example comparison with Argus:

$ argus -S 1000 -r checksum_test.pcap -w checksum_test.argus

$ argus -S 1000 -r anon_checksum_test.pcap -w anon_checksum_test.argus

argus[13711]: 12 Aug 09 16:32:54.547458 ArgusNewFlow() flow key is not  
correct len equals zero
argus[13711]: 12 Aug 09 16:32:54.584273 ArgusNewFlow() flow key is not  
correct len equals zero
argus[13711]: 12 Aug 09 16:32:54.584438 ArgusNewFlow() flow key is not  
correct len equals zero


$ racount -r checksum_test.argus

racount   records     total_pkts     src_pkts       dst_pkts  
total_bytes       		src_bytes          dst_bytes
  sum	24386       200000         137572         62428		 
177236752          170786494          6450258

$ racount -r anon_checksum_test.argus

racount   records     total_pkts     src_pkts       dst_pkts  
total_bytes        src_bytes          dst_bytes
sum   	24382       199994         137568         62426  
177236392          170786254          6450138


Also, the actual number of packets in the example trace is exactly  
100,000 despite it showing up as twice that in total packets count.

-Steve

On Aug 12, 2009, at 3:33 PM, Carter Bullard wrote:

> Hey Steven,
> Currently we don't check for bad checksum's.  It is such a rare  
> event and expensive
> to check. Do you think you're getting bad checksums?
>
> Carter
>
> On Aug 12, 2009, at 4:40 PM, Steven DiBenedetto wrote:
>
>> Hi Carter,
>>
>> How does Argus handle packets with a bad IP checksum?
>>
>> -Steve
>>
>




More information about the argus mailing list