FreeBSD 32-bit available for argus debug effort?
Carter Bullard
carter at qosient.com
Wed Jul 21 13:33:43 EDT 2010
Gentle people,
Is there anyone who has an Intel box, 32bit kernel running FreeBSD RELENG_7
that I could access to debug a Netflow parsing problem? We have a set of netflow
packets that generate a problem for this type of configuration (not a problem with
64-bit) and so I'd need to run tcpreplay with these packets at an argus-client() to
see if we get these bogus metric values.
I can't replicate the problem on any other 32-bit machine that I have access to.
Carter
On Jul 12, 2010, at 10:36 AM, Carter Bullard wrote:
> Hey Mike,
> Thanks for the data, and that is exactly what I needed to know. The bug should be in the
> original conversion of the netflow record into an argus record. I'll try to find it today.
> Probably an alignment issue, or a collision in a status bit or something.
>
> When we moved all the compile variables to the ./include/argus_config.h file, some bugs
> crept in. I suspect that there is a #define that is missing in one of the Netflow parsing
> routines and its generating an ARGUS_METER_DSR with an incorrect type specification.
> When ra* programs write out data, either to a file or to the wire, it changes all the internal
> representations to a compressed stream representation, and can correct for record
> definition inconsistencies, I suspect that is what is happening, its just not catching all
> of them.
>
> [....snip...]
> Thanks again!!!!!!!!!
>
> Carter
>
> On Jul 12, 2010, at 8:18 AM, Mike Tancsa wrote:
>
>>
>> Also just another datapoint, if I use ra from 3.0.3.14 to read an argus file created by the older version of radium, it works.
>>
>> /tmp/argus-clients-3.0.3.14/bin/ra -L0 -nr radium.arg -Zb -N 25 - port 9010
>> StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State
>> 23:59:57.498489 e tcp 172.25.1.1.60183 -> 192.168.1.1.3.9010 9 816 FSPA_
>> 23:59:51.468000 Ne tcp 172.25.1.1.59519 -> 192.168.1.1.3.9010 5 367 FSPA_
>> 23:59:51.556000 Ne tcp 172.25.1.1.58054 -> 192.168.1.1.3.9010 5 403 FSPA_
>> 23:59:57.736000 Ne tcp 172.25.1.1.60183 -> 192.168.1.1.3.9010 5 401 FSPA_
>> 00:00:12.626558 e tcp 172.25.1.1.57736 -> 192.168.1.1.3.9010 10 878 FSPA_
>> 00:00:16.698774 e tcp 172.25.1.1.55670 -> 192.168.1.1.3.9010 10 878 FSPA_
>> 00:00:12.805000 Ne tcp 172.25.1.1.57736 -> 192.168.1.1.3.9010 5 403 FSPA_
>> 00:00:16.913000 Ne tcp 172.25.1.1.55670 -> 192.168.1.1.3.9010 5 403 FSPA_
>> 00:00:17.409000 Ne tcp 172.25.1.1.64095 -> 192.168.1.1.3.9010 5 373 FSPA_
>> 00:00:17.709000 Ne tcp 172.25.1.1.61488 -> 192.168.1.1.3.9010 5 386 FSPA_
>> 00:00:17.190421 e tcp 172.25.1.1.64095 -> 192.168.1.1.3.9010 10 820 FSPA_
>> 00:00:17.490838 e tcp 172.25.1.1.61488 -> 192.168.1.1.3.9010 10 861 FSPA_
>> 00:00:23.292488 e tcp 172.25.1.1.59905 -> 192.168.1.1.3.9010 10 877 FSPA_
>> 00:00:27.742003 e tcp 172.25.1.1.52194 -> 192.168.1.1.3.9010 10 877 FSPA_
>> 00:00:23.500000 Ne tcp 172.25.1.1.59905 -> 192.168.1.1.3.9010 5 402 FSPA_
>> 00:00:25.332000 Ne tcp 172.25.1.1.64507 -> 192.168.1.1.4.9010 5 402 FSPA_
>> 00:00:27.988000 Ne tcp 172.25.1.1.52194 -> 192.168.1.1.3.9010 5 402 FSPA_
>>
>> At 08:05 AM 7/12/2010, Mike Tancsa wrote:
>>> At 04:49 PM 7/9/2010, Carter Bullard wrote:
>>>> Is that with argus-clients-3.0.3.14 ?
>>>
>>> Hi,
>>> I doubled checked, and yes
>>>
>>> # pwd
>>> /tmp/argus-clients-3.0.3.14/bin
>>>
>>> ./ra -L0 -n -Zb -C 192.168.1.81:9995
>>> StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State
>>> 08:00:25.421000 Ne tcp 192.168.1.81.50249 -> 10.88.1.3.9010 36028797 1052069020 FSPA_
>>> 08:00:26.229000 Ne tcp 192.168.1.81.57754 -> 10.88.1.3.9010 36028797 1059274779 FSPA_
>>> 08:00:27.025000 Ne tcp 192.168.1.83.59773 -> 10.88.1.3.9010 36028797 9439826293 FSPA_
>>> 08:00:29.265000 Ne tcp 192.168.1.81.51092 -> 10.88.1.3.9010 36028797 9367768699 FSPA_
>>> 08:00:30.137000 Ne tcp 192.168.1.83.59523 -> 10.88.1.3.9010 36028797 9223653511 FSPA_
>>> 08:00:30.309000 Ne tcp 192.168.1.81.54025 -> 10.88.1.3.9010 36028797 1059274779 FSPA_
>>> 08:00:30.377000 Ne tcp 192.168.1.81.50366 -> 10.88.1.3.9010 36028797 1059274779 FSPA_
>>> 08:00:32.317000 Ne tcp 192.168.1.81.62894 -> 10.88.1.4.9010 36028797 8431019977 FSPA_
>>> 08:00:33.173000 Ne tcp 192.168.1.81.50927 -> 10.88.1.3.9010 36028797 7998674413 FSPA_
>>> 08:00:34.689000 Ne tcp 192.168.1.81.58730 -> 10.88.1.3.9010 36028797 7998674413 FSPA_
>>> 08:00:35.853000 Ne tcp 192.168.1.81.52157 -> 10.88.1.3.9010 36028797 9367768699 FSPA_
>>> 08:00:36.337000 Ne tcp 192.168.1.81.62114 -> 10.88.1.4.9010 36028797 7998674413 FSPA_
>>> 08:00:36.697000 Ne tcp 192.168.1.81.54555 -> 10.88.1.3.9010 36028797 9367768699 FSPA_
>>> 08:00:25.135000 Ne udp 192.168.1.118.123 -> 192.168.1.82.123 72057594 5476377146 INT
>>> 08:00:39.807000 Ne tcp 192.168.1.81.58689 -> 10.88.1.3.9010 36028797 8286904789 FSPA_
>>> 08:00:42.039000 Ne tcp 192.168.1.81.62486 -> 10.88.1.3.9010 36028797 8358962383 FSPA_
>>> 08:00:42.843000 Ne tcp 192.168.1.81.62241 -> 10.88.1.3.9010 36028797 8431019977 FSPA_
>>> 08:00:43.763000 Ne tcp 192.168.1.81.55626 -> 10.88.1.3.9010 43234556 1124126614 FSPA_
>>> 08:00:44.263000 Ne tcp 192.168.1.81.64527 -> 10.88.1.3.9010 36028797 7998674413 FSPA_
>>> 08:00:45.307000 Ne tcp 192.168.1.81.55953 -> 10.88.1.4.9010 36028797 1059274779 FSPA_
>>> 08:00:52.059000 Ne tcp 192.168.1.81.59595 -> 10.88.1.3.9010 36028797 7998674413 FSPA_
>>> 08:00:54.155000 Ne tcp 192.168.1.83.54808 -> 10.88.1.3.9010 36028797 9223653511 FSPA_
>>> 07:59:51.895000 Ne tcp 192.168.1.83.49982 -> 192.168.1.82.23 28147497 1096429476 SPA_
>>> 08:00:57.391000 Ne tcp 192.168.1.81.59204 -> 10.88.1.3.9010 36028797 8070732007 FSPA_
>>> 08:00:57.907000 Ne tcp 192.168.1.81.57558 -> 10.88.1.3.9010 36028797 9367768699 FSPA_
>>> 08:00:58.863000 Ne tcp 192.168.1.81.52192 -> 10.88.1.3.9010 36028797 9223653511 FSPA_
>>> 08:00:59.011000 Ne tcp 192.168.1.81.51943 -> 10.88.1.3.9010 36028797 8431019977 FSPA_
>>> 08:01:01.663000 Ne tcp 192.168.1.81.60079 -> 10.88.1.3.9010 36028797 1059274779 FSPA_
>>> 08:01:04.122000 Ne tcp 192.168.1.81.62693 -> 10.88.1.3.9010 36028797 1044863261 FSPA_
>>> 08:01:09.902000 Ne tcp 192.168.1.81.51231 -> 10.88.1.3.9010 36028797 8431019977 FSPA_
>>> 08:01:10.106000 Ne tcp 192.168.1.81.52592 -> 10.88.1.3.9010 36028797 1044863261 FSPA_
>>> 08:01:12.194000 Ne tcp 192.168.1.81.62696 -> 10.88.1.3.9010 36028797 7133983284 FSPA_
>>> 08:01:16.270000 Ne tcp 192.168.1.81.59954 -> 10.88.1.3.9010 36028797 7206040878 FSPA_
>>> 08:01:19.194000 Ne tcp 192.168.1.81.63059 -> 10.88.1.3.9010 36028797 8431019977 FSPA_
>>> 08:01:19.334000 Ne tcp 192.168.1.81.56706 -> 10.88.1.3.9010 36028797 1059274779 FSPA_
>>> 08:01:20.574000 Ne tcp 192.168.1.81.57206 -> 10.88.1.3.9010 36028797 9367768699 FSPA_
>>>
>>>
>>>> Carter
>>>>
>>>> On Jul 9, 2010, at 3:28 PM, Mike Tancsa wrote:
>>>>
>>>>> At 03:12 PM 7/9/2010, Carter Bullard wrote:
>>>>>
>>>>>> Can you do me a favor? Could you have ra() collect enough of the records,
>>>>>> rather than the current radium() -> racluster() to see if the bug is in writing
>>>>>> the records out or reading them in. Also, if you could just have ra() print the
>>>>>> netflow records rather than writing them to disk, may indicate that it doesn't
>>>>>> have an error in converting the netflow to argus, but writing the records to
>>>>>
>>>>>
>>>>> Hi Carter,
>>>>> It shows up quite quickly this way (IP addresses changed)
>>>>>
>>>>> # ra -L0 -n -Zb -C 192.168.1.81:9995
>>>>> StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State
>>>>> 15:25:49.846000 Ne tcp 192.168.1.81.53812 -> 10.8.9.1.9010 36028797 1059274779 FSPA_
>>>>> 15:25:37.998000 Ne icmp 192.168.1.81.771 -> 192.168.1.82.0 72057594 4035225266 URP
>>>>> 15:25:51.566000 Ne tcp 192.168.1.81.57886 -> 10.8.9.1.9010 36028797 9367768699 FSPA_
>>>>> 15:25:52.926000 Ne tcp 192.168.1.81.50378 -> 10.8.9.1.9010 36028797 7998674413 FSPA_
>>>>> 15:25:53.662000 Ne tcp 192.168.1.81.50826 -> 10.8.9.1.9010 36028797 7998674413 FSPA_
>>>>> 15:25:55.966000 Ne tcp 192.168.1.81.58986 -> 10.8.9.1.9010 36028797 1052069020 FSPA_
>>>>> 15:25:56.282000 Ne tcp 192.168.1.81.57899 -> 10.8.9.1.9010 36028797 1044863261 FSPA_
>>>>> 15:25:56.914000 Ne tcp 192.168.1.81.61121 -> 10.8.9.1.9010 36028797 1059274779 FSPA_
>>>>> 15:25:59.270000 Ne tcp 192.168.1.81.53056 -> 10.8.9.1.9010 36028797 1052069020 FSPA_
>>>>> 15:25:58.546000 Ne tcp 192.168.1.81.62492 -> 10.8.9.1.9010 36028797 8431019977 FSPA_
>>>>> 15:25:59.814000 Ne tcp 192.168.1.81.54551 -> 10.8.9.1.9010 36028797 1059274779 FSPA_
>>>>> 15:26:00.878000 Ne tcp 192.168.1.81.56269 -> 10.8.9.1.9010 36028797 1059274779 FSPA_
>>>>>
>>>>>
>>>>>
>>>>> ---Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100721/d4b531d3/attachment.bin>
More information about the argus
mailing list