filtering on pkts == filtering on dst pkts ?
George Jones
fooologist at gmail.com
Mon Oct 11 15:08:51 EDT 2010
On Fri, Oct 8, 2010 at 5:42 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey George,
> So "pkts", like "bytes", "host", "ttl" is a singular stat that can be
> applied to the "src" or "dst" or both.
> When the direction is not specified, the direction is wild carded. Your
> filter, "pkts gt 39", is compiled
> as "(src pkts gt 39) or (dst pkts gt 39)".
>
This is non-intuitive, especially since "-s pkts" prints total pkts.
How would one filter on the total transaction byte count ?
Where are all the filter elements listed in the code ?
Thanks,
---George
>
> Use the "-b" option to see how the compiler is constructing a particular
> filter:
>
> thoth:common carter$ ra -b - src pkts gt 39
> (000) ldll dsr[3][4]
> (001) jgt #0x27 jt 2 jf 3
> (002) ret #96
> (003) ret #0
>
> thoth:common carter$ ra -b - dst pkts gt 39
> (000) ldll dsr[3][28]
> (001) jgt #0x27 jt 2 jf 3
> (002) ret #96
> (003) ret #0
>
> thoth:common carter$ ra -b - pkts gt 39
> (000) ldll dsr[3][4]
> (001) jgt #0x27 jt 4 jf 2
> (002) ldll dsr[3][28]
> (003) jgt #0x27 jt 4 jf 5
> (004) ret #96
> (005) ret #0
>
>
> Carter
>
> On Oct 5, 2010, at 9:38 AM, George Jones wrote:
>
> > This does not look right. Looks like "racluster ... -w - | ra -r - -
> pkts gt N" is filtering on "dst pkts gt N". I expected it to
> > filter on total pkts gt N.
> >
> > Bug in the code or my understanding ?
> >
> > Thanks,
> > ---George
> >
> > george at antique:~/data/pcap$ ra -r anony.ra -w - | ra -r - -s
> +spkts,dpkts - port 53620
> > StartTime Flgs Proto SrcAddr Sport Dir
> DstAddr Dport TotPkts TotBytes State SrcPkts DstPkts
> > 08:34:39.956574 e tcp 100.0.1.7.53620 ->
> 100.0.3.1.www 62 39399 CON 29 33
> > 08:34:45.818360 e tcp 100.0.1.7.53620 ->
> 100.0.3.1.www 8 2174 CON 4 4
> > 08:36:49.895042 e tcp 100.0.1.7.53620 <?>
> 100.0.3.1.www 4 264 FIN 2 2
> > george at antique:~/data/pcap$
> > george at antique:~/data/pcap$ # clustered
> > george at antique:~/data/pcap$ racluster -r anony.ra -w - | ra -r - -s
> +spkts,dpkts - port 53620
> > StartTime Flgs Proto SrcAddr Sport Dir
> DstAddr Dport TotPkts TotBytes State SrcPkts DstPkts
> > 08:34:39.956574 e tcp 100.0.1.7.53620 ->
> 100.0.3.1.www 74 41837 FIN 35 39
> > george at antique:~/data/pcap$
> > george at antique:~/data/pcap$ # pkts gt dstpkts - 1
> > george at antique:~/data/pcap$ racluster -r anony.ra -w - | ra -r - -s
> +spkts,dpkts - port 53620 and pkts gt 38
> > StartTime Flgs Proto SrcAddr Sport Dir
> DstAddr Dport TotPkts TotBytes State SrcPkts DstPkts
> > 08:34:39.956574 e tcp 100.0.1.7.53620 ->
> 100.0.3.1.www 74 41837 FIN 35 39
> > george at antique:~/data/pcap$
> > george at antique:~/data/pcap$ #pkts gt dst pkts
> > george at antique:~/data/pcap$ racluster -r anony.ra -w - | ra -r - -s
> +spkts,dpkts - port 53620 and pkts gt 39
> > george at antique:~/data/pcap$
> >
>
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E 57th Street Suite 12D
> New York, New York 10022
>
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101011/11f0f753/attachment.html>
More information about the argus
mailing list