filtering on pkts == filtering on dst pkts ?

Carter Bullard carter at qosient.com
Mon Oct 11 16:12:02 EDT 2010 

Hey George,
Well, I think its consistent with all the other variables that apply to both the source and destination,
but not sure if that helps.  In the ra manpage, this topic is covered well, but may seem buried,
but its right up front in the expression definition for the filter (around line 350), and explicitly
stated on line 472 of the ra manpage.

The list of tokens maybe the best source of all the filter options.  They are in enumerated in
./common/scanner.l, but the manpage doesn't do a bad job.  Maybe lagging in a few keywords.

OK, I have some filter syntax and token issues coming up after argus-3.0.4.  There have been
requests to do content comparisons, such as (src bytes gt dst bytes) or (src net neq dst net).
So, I think this may qualify, and will open up the discussion for filter changes.
We could implement something like:

   (src pkts + dst pkts) gt 20

Would that be too cumbersome, or would you rather have:

   total pkts gt 20

which maybe much easier to implement?

Carter

On Oct 11, 2010, at 3:08 PM, George Jones wrote:

> On Fri, Oct 8, 2010 at 5:42 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey George,
> So "pkts", like "bytes", "host", "ttl" is a singular stat that can be applied to the "src" or "dst" or both.
> When the direction is not specified, the direction is wild carded.  Your filter, "pkts gt 39", is compiled
> as "(src pkts gt 39) or (dst pkts gt 39)".
> 
> This is non-intuitive, especially since "-s pkts" prints total pkts.
> 
> How would one filter on the total transaction byte count ?
> 
> Where are all the filter elements listed in the code ?
> 
> Thanks,
> ---George
>  
> 
> Use the "-b" option to see how the compiler is constructing a particular filter:
> 
> thoth:common carter$ ra -b - src pkts gt 39
> (000) ldll      dsr[3][4]
> (001) jgt      #0x27            jt 2    jf 3
> (002) ret      #96
> (003) ret      #0
> 
> thoth:common carter$ ra -b - dst pkts gt 39
> (000) ldll      dsr[3][28]
> (001) jgt      #0x27            jt 2    jf 3
> (002) ret      #96
> (003) ret      #0
> 
> thoth:common carter$ ra -b - pkts gt 39
> (000) ldll      dsr[3][4]
> (001) jgt      #0x27            jt 4    jf 2
> (002) ldll      dsr[3][28]
> (003) jgt      #0x27            jt 4    jf 5
> (004) ret      #96
> (005) ret      #0
> 
> 
> Carter
> 
> On Oct 5, 2010, at 9:38 AM, George Jones wrote:
> 
> > This does not look right.  Looks like "racluster ... -w - | ra -r - - pkts gt N" is filtering on "dst pkts gt N".   I expected it to
> > filter on total pkts gt N.
> >
> > Bug in the code or my understanding ?
> >
> > Thanks,
> > ---George
> >
> > george at antique:~/data/pcap$ ra -r anony.ra -w - | ra -r - -s +spkts,dpkts - port 53620
> >       StartTime    Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  SrcPkts  DstPkts
> > 08:34:39.956574  e         tcp          100.0.1.7.53620     ->          100.0.3.1.www          62      39399   CON       29       33
> > 08:34:45.818360  e         tcp          100.0.1.7.53620     ->          100.0.3.1.www           8       2174   CON        4        4
> > 08:36:49.895042  e         tcp          100.0.1.7.53620    <?>          100.0.3.1.www           4        264   FIN        2        2
> > george at antique:~/data/pcap$
> > george at antique:~/data/pcap$ # clustered
> > george at antique:~/data/pcap$ racluster -r anony.ra -w - | ra -r - -s +spkts,dpkts - port 53620
> >       StartTime    Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  SrcPkts  DstPkts
> > 08:34:39.956574  e         tcp          100.0.1.7.53620     ->          100.0.3.1.www          74      41837   FIN       35       39
> > george at antique:~/data/pcap$
> > george at antique:~/data/pcap$ # pkts gt dstpkts - 1
> > george at antique:~/data/pcap$ racluster -r anony.ra -w - | ra -r - -s +spkts,dpkts - port 53620 and pkts gt 38
> >       StartTime    Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  SrcPkts  DstPkts
> > 08:34:39.956574  e         tcp          100.0.1.7.53620     ->          100.0.3.1.www          74      41837   FIN       35       39
> > george at antique:~/data/pcap$
> > george at antique:~/data/pcap$ #pkts gt dst pkts
> > george at antique:~/data/pcap$ racluster -r anony.ra -w - | ra -r - -s +spkts,dpkts - port 53620 and pkts gt 39
> > george at antique:~/data/pcap$
> >
> 
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E 57th Street Suite 12D
> New York, New York  10022
> 
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
> 
> 
> 
> 

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101011/69c3e69f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101011/69c3e69f/attachment.bin>

More information about the argus mailing list