Argus giving wrong bytes results ?
Carter Bullard
carter at qosient.com
Mon Jul 12 10:36:05 EDT 2010
Hey Mike,
Thanks for the data, and that is exactly what I needed to know. The bug should be in the
original conversion of the netflow record into an argus record. I'll try to find it today.
Probably an alignment issue, or a collision in a status bit or something.
When we moved all the compile variables to the ./include/argus_config.h file, some bugs
crept in. I suspect that there is a #define that is missing in one of the Netflow parsing
routines and its generating an ARGUS_METER_DSR with an incorrect type specification.
When ra* programs write out data, either to a file or to the wire, it changes all the internal
representations to a compressed stream representation, and can correct for record
definition inconsistencies, I suspect that is what is happening, its just not catching all
of them.
If you were to run
./ra -C 192.168.1.81:9995 -w - | ./ra -L0 -n -Zb
I suspect that you will get a different output?
Thanks again!!!!!!!!!
Carter
On Jul 12, 2010, at 8:18 AM, Mike Tancsa wrote:
>
> Also just another datapoint, if I use ra from 3.0.3.14 to read an argus file created by the older version of radium, it works.
>
> /tmp/argus-clients-3.0.3.14/bin/ra -L0 -nr radium.arg -Zb -N 25 - port 9010
> StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State
> 23:59:57.498489 e tcp 172.25.1.1.60183 -> 192.168.1.1.3.9010 9 816 FSPA_
> 23:59:51.468000 Ne tcp 172.25.1.1.59519 -> 192.168.1.1.3.9010 5 367 FSPA_
> 23:59:51.556000 Ne tcp 172.25.1.1.58054 -> 192.168.1.1.3.9010 5 403 FSPA_
> 23:59:57.736000 Ne tcp 172.25.1.1.60183 -> 192.168.1.1.3.9010 5 401 FSPA_
> 00:00:12.626558 e tcp 172.25.1.1.57736 -> 192.168.1.1.3.9010 10 878 FSPA_
> 00:00:16.698774 e tcp 172.25.1.1.55670 -> 192.168.1.1.3.9010 10 878 FSPA_
> 00:00:12.805000 Ne tcp 172.25.1.1.57736 -> 192.168.1.1.3.9010 5 403 FSPA_
> 00:00:16.913000 Ne tcp 172.25.1.1.55670 -> 192.168.1.1.3.9010 5 403 FSPA_
> 00:00:17.409000 Ne tcp 172.25.1.1.64095 -> 192.168.1.1.3.9010 5 373 FSPA_
> 00:00:17.709000 Ne tcp 172.25.1.1.61488 -> 192.168.1.1.3.9010 5 386 FSPA_
> 00:00:17.190421 e tcp 172.25.1.1.64095 -> 192.168.1.1.3.9010 10 820 FSPA_
> 00:00:17.490838 e tcp 172.25.1.1.61488 -> 192.168.1.1.3.9010 10 861 FSPA_
> 00:00:23.292488 e tcp 172.25.1.1.59905 -> 192.168.1.1.3.9010 10 877 FSPA_
> 00:00:27.742003 e tcp 172.25.1.1.52194 -> 192.168.1.1.3.9010 10 877 FSPA_
> 00:00:23.500000 Ne tcp 172.25.1.1.59905 -> 192.168.1.1.3.9010 5 402 FSPA_
> 00:00:25.332000 Ne tcp 172.25.1.1.64507 -> 192.168.1.1.4.9010 5 402 FSPA_
> 00:00:27.988000 Ne tcp 172.25.1.1.52194 -> 192.168.1.1.3.9010 5 402 FSPA_
>
> At 08:05 AM 7/12/2010, Mike Tancsa wrote:
>> At 04:49 PM 7/9/2010, Carter Bullard wrote:
>>> Is that with argus-clients-3.0.3.14 ?
>>
>> Hi,
>> I doubled checked, and yes
>>
>> # pwd
>> /tmp/argus-clients-3.0.3.14/bin
>>
>> ./ra -L0 -n -Zb -C 192.168.1.81:9995
>> StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State
>> 08:00:25.421000 Ne tcp 192.168.1.81.50249 -> 10.88.1.3.9010 36028797 1052069020 FSPA_
>> 08:00:26.229000 Ne tcp 192.168.1.81.57754 -> 10.88.1.3.9010 36028797 1059274779 FSPA_
>> 08:00:27.025000 Ne tcp 192.168.1.83.59773 -> 10.88.1.3.9010 36028797 9439826293 FSPA_
>> 08:00:29.265000 Ne tcp 192.168.1.81.51092 -> 10.88.1.3.9010 36028797 9367768699 FSPA_
>> 08:00:30.137000 Ne tcp 192.168.1.83.59523 -> 10.88.1.3.9010 36028797 9223653511 FSPA_
>> 08:00:30.309000 Ne tcp 192.168.1.81.54025 -> 10.88.1.3.9010 36028797 1059274779 FSPA_
>> 08:00:30.377000 Ne tcp 192.168.1.81.50366 -> 10.88.1.3.9010 36028797 1059274779 FSPA_
>> 08:00:32.317000 Ne tcp 192.168.1.81.62894 -> 10.88.1.4.9010 36028797 8431019977 FSPA_
>> 08:00:33.173000 Ne tcp 192.168.1.81.50927 -> 10.88.1.3.9010 36028797 7998674413 FSPA_
>> 08:00:34.689000 Ne tcp 192.168.1.81.58730 -> 10.88.1.3.9010 36028797 7998674413 FSPA_
>> 08:00:35.853000 Ne tcp 192.168.1.81.52157 -> 10.88.1.3.9010 36028797 9367768699 FSPA_
>> 08:00:36.337000 Ne tcp 192.168.1.81.62114 -> 10.88.1.4.9010 36028797 7998674413 FSPA_
>> 08:00:36.697000 Ne tcp 192.168.1.81.54555 -> 10.88.1.3.9010 36028797 9367768699 FSPA_
>> 08:00:25.135000 Ne udp 192.168.1.118.123 -> 192.168.1.82.123 72057594 5476377146 INT
>> 08:00:39.807000 Ne tcp 192.168.1.81.58689 -> 10.88.1.3.9010 36028797 8286904789 FSPA_
>> 08:00:42.039000 Ne tcp 192.168.1.81.62486 -> 10.88.1.3.9010 36028797 8358962383 FSPA_
>> 08:00:42.843000 Ne tcp 192.168.1.81.62241 -> 10.88.1.3.9010 36028797 8431019977 FSPA_
>> 08:00:43.763000 Ne tcp 192.168.1.81.55626 -> 10.88.1.3.9010 43234556 1124126614 FSPA_
>> 08:00:44.263000 Ne tcp 192.168.1.81.64527 -> 10.88.1.3.9010 36028797 7998674413 FSPA_
>> 08:00:45.307000 Ne tcp 192.168.1.81.55953 -> 10.88.1.4.9010 36028797 1059274779 FSPA_
>> 08:00:52.059000 Ne tcp 192.168.1.81.59595 -> 10.88.1.3.9010 36028797 7998674413 FSPA_
>> 08:00:54.155000 Ne tcp 192.168.1.83.54808 -> 10.88.1.3.9010 36028797 9223653511 FSPA_
>> 07:59:51.895000 Ne tcp 192.168.1.83.49982 -> 192.168.1.82.23 28147497 1096429476 SPA_
>> 08:00:57.391000 Ne tcp 192.168.1.81.59204 -> 10.88.1.3.9010 36028797 8070732007 FSPA_
>> 08:00:57.907000 Ne tcp 192.168.1.81.57558 -> 10.88.1.3.9010 36028797 9367768699 FSPA_
>> 08:00:58.863000 Ne tcp 192.168.1.81.52192 -> 10.88.1.3.9010 36028797 9223653511 FSPA_
>> 08:00:59.011000 Ne tcp 192.168.1.81.51943 -> 10.88.1.3.9010 36028797 8431019977 FSPA_
>> 08:01:01.663000 Ne tcp 192.168.1.81.60079 -> 10.88.1.3.9010 36028797 1059274779 FSPA_
>> 08:01:04.122000 Ne tcp 192.168.1.81.62693 -> 10.88.1.3.9010 36028797 1044863261 FSPA_
>> 08:01:09.902000 Ne tcp 192.168.1.81.51231 -> 10.88.1.3.9010 36028797 8431019977 FSPA_
>> 08:01:10.106000 Ne tcp 192.168.1.81.52592 -> 10.88.1.3.9010 36028797 1044863261 FSPA_
>> 08:01:12.194000 Ne tcp 192.168.1.81.62696 -> 10.88.1.3.9010 36028797 7133983284 FSPA_
>> 08:01:16.270000 Ne tcp 192.168.1.81.59954 -> 10.88.1.3.9010 36028797 7206040878 FSPA_
>> 08:01:19.194000 Ne tcp 192.168.1.81.63059 -> 10.88.1.3.9010 36028797 8431019977 FSPA_
>> 08:01:19.334000 Ne tcp 192.168.1.81.56706 -> 10.88.1.3.9010 36028797 1059274779 FSPA_
>> 08:01:20.574000 Ne tcp 192.168.1.81.57206 -> 10.88.1.3.9010 36028797 9367768699 FSPA_
>>
>>
>>> Carter
>>>
>>> On Jul 9, 2010, at 3:28 PM, Mike Tancsa wrote:
>>>
>>> > At 03:12 PM 7/9/2010, Carter Bullard wrote:
>>> >
>>> >> Can you do me a favor? Could you have ra() collect enough of the records,
>>> >> rather than the current radium() -> racluster() to see if the bug is in writing
>>> >> the records out or reading them in. Also, if you could just have ra() print the
>>> >> netflow records rather than writing them to disk, may indicate that it doesn't
>>> >> have an error in converting the netflow to argus, but writing the records to
>>> >
>>> >
>>> > Hi Carter,
>>> > It shows up quite quickly this way (IP addresses changed)
>>> >
>>> > # ra -L0 -n -Zb -C 192.168.1.81:9995
>>> > StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State
>>> > 15:25:49.846000 Ne tcp 192.168.1.81.53812 -> 10.8.9.1.9010 36028797 1059274779 FSPA_
>>> > 15:25:37.998000 Ne icmp 192.168.1.81.771 -> 192.168.1.82.0 72057594 4035225266 URP
>>> > 15:25:51.566000 Ne tcp 192.168.1.81.57886 -> 10.8.9.1.9010 36028797 9367768699 FSPA_
>>> > 15:25:52.926000 Ne tcp 192.168.1.81.50378 -> 10.8.9.1.9010 36028797 7998674413 FSPA_
>>> > 15:25:53.662000 Ne tcp 192.168.1.81.50826 -> 10.8.9.1.9010 36028797 7998674413 FSPA_
>>> > 15:25:55.966000 Ne tcp 192.168.1.81.58986 -> 10.8.9.1.9010 36028797 1052069020 FSPA_
>>> > 15:25:56.282000 Ne tcp 192.168.1.81.57899 -> 10.8.9.1.9010 36028797 1044863261 FSPA_
>>> > 15:25:56.914000 Ne tcp 192.168.1.81.61121 -> 10.8.9.1.9010 36028797 1059274779 FSPA_
>>> > 15:25:59.270000 Ne tcp 192.168.1.81.53056 -> 10.8.9.1.9010 36028797 1052069020 FSPA_
>>> > 15:25:58.546000 Ne tcp 192.168.1.81.62492 -> 10.8.9.1.9010 36028797 8431019977 FSPA_
>>> > 15:25:59.814000 Ne tcp 192.168.1.81.54551 -> 10.8.9.1.9010 36028797 1059274779 FSPA_
>>> > 15:26:00.878000 Ne tcp 192.168.1.81.56269 -> 10.8.9.1.9010 36028797 1059274779 FSPA_
>>> >
>>> >
>>> >
>>> > ---Mike
>>> >
>>> >
>>> >
>>> >
>>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100712/fd6eca2f/attachment.bin>
More information about the argus
mailing list