Problem with byte-swapped IP addresses
Peter Van Epp
vanepp at sfu.ca
Thu Mar 4 13:59:58 EST 2010
On Thu, Mar 04, 2010 at 05:34:13PM +0100, Martijn van Oosterhout wrote:
> Hi,
>
> (argus 3.0.0, but it also happens with 3.0.3.2)
>
> I'm having a problem with IP addresses being byte-swapped in the argus
> output, like so:
>
> 03 Mar 10 00:30:16 e f tcp 70.20.168.192 * ->
> 93.20.168.192 * 1 1514 INT
> 03 Mar 10 00:30:16 e f tcp 93.20.168.192 * ->
> 192.168.20.70 * 1 1514 INT
> 03 Mar 10 00:30:17 e tcp 70.20.168.192.1823 ?>
> 192.168.20.93.1307 1 1514 CON
> 03 Mar 10 00:30:21 e f tcp 12.20.168.192 * ->
> 62.20.168.192 * 1 1514 INT
>
<snip>
I assume this is an Intel (or other bigendian) machine? If so I'd
look at the hton macros as a possible source (although I don't immediately
see why they would change). If the data isn't changed from network to host
order I think it will be reversed this way (but haven't actually looked at the
code). Given it seems to be at high load,there may be a bug (such as lack of
hton macros) in the overload code (argus reduces what it is capturing when
load gets to high). It may be profitable to try and capture the pcap input
files that argus sees by setting ARGUS_PACKET_CAPTURE_FILE in your argus.conf
file although if the pcaps look OK its more likely an argus bug somewhere I
think. If you shouldn't be seeing any 70. addresses a print statement that
dumps the PCAP record coded in to argus would shed some light on matters.
Carter may also be able to look in an appropriate place and see the problem as
well :-)
Peter Van Epp
More information about the argus
mailing list