filtering on pkts == filtering on dst pkts ?

Carter Bullard carter at qosient.com
Fri Oct 8 17:42:36 EDT 2010 

Hey George,
So "pkts", like "bytes", "host", "ttl" is a singular stat that can be applied to the "src" or "dst" or both.
When the direction is not specified, the direction is wild carded.  Your filter, "pkts gt 39", is compiled
as "(src pkts gt 39) or (dst pkts gt 39)".

Use the "-b" option to see how the compiler is constructing a particular filter:

thoth:common carter$ ra -b - src pkts gt 39
(000) ldll      dsr[3][4]
(001) jgt      #0x27            jt 2	jf 3
(002) ret      #96
(003) ret      #0

thoth:common carter$ ra -b - dst pkts gt 39
(000) ldll      dsr[3][28]
(001) jgt      #0x27            jt 2	jf 3
(002) ret      #96
(003) ret      #0

thoth:common carter$ ra -b - pkts gt 39
(000) ldll      dsr[3][4]
(001) jgt      #0x27            jt 4	jf 2
(002) ldll      dsr[3][28]
(003) jgt      #0x27            jt 4	jf 5
(004) ret      #96
(005) ret      #0


Carter

On Oct 5, 2010, at 9:38 AM, George Jones wrote:

> This does not look right.  Looks like "racluster ... -w - | ra -r - - pkts gt N" is filtering on "dst pkts gt N".   I expected it to
> filter on total pkts gt N.
> 
> Bug in the code or my understanding ?
> 
> Thanks,
> ---George
> 
> george at antique:~/data/pcap$ ra -r anony.ra -w - | ra -r - -s +spkts,dpkts - port 53620
>       StartTime    Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  SrcPkts  DstPkts 
> 08:34:39.956574  e         tcp          100.0.1.7.53620     ->          100.0.3.1.www          62      39399   CON       29       33
> 08:34:45.818360  e         tcp          100.0.1.7.53620     ->          100.0.3.1.www           8       2174   CON        4        4
> 08:36:49.895042  e         tcp          100.0.1.7.53620    <?>          100.0.3.1.www           4        264   FIN        2        2
> george at antique:~/data/pcap$ 
> george at antique:~/data/pcap$ # clustered
> george at antique:~/data/pcap$ racluster -r anony.ra -w - | ra -r - -s +spkts,dpkts - port 53620
>       StartTime    Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  SrcPkts  DstPkts 
> 08:34:39.956574  e         tcp          100.0.1.7.53620     ->          100.0.3.1.www          74      41837   FIN       35       39
> george at antique:~/data/pcap$ 
> george at antique:~/data/pcap$ # pkts gt dstpkts - 1
> george at antique:~/data/pcap$ racluster -r anony.ra -w - | ra -r - -s +spkts,dpkts - port 53620 and pkts gt 38
>       StartTime    Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  SrcPkts  DstPkts 
> 08:34:39.956574  e         tcp          100.0.1.7.53620     ->          100.0.3.1.www          74      41837   FIN       35       39
> george at antique:~/data/pcap$ 
> george at antique:~/data/pcap$ #pkts gt dst pkts
> george at antique:~/data/pcap$ racluster -r anony.ra -w - | ra -r - -s +spkts,dpkts - port 53620 and pkts gt 39
> george at antique:~/data/pcap$ 
> 

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101008/202bf1e0/attachment.bin>

More information about the argus mailing list