Problems with "-n" option

Rafael Barbosa rrbarbosa at gmail.com
Wed Sep 22 08:51:16 EDT 2010 

Hi again,

Spend a while doing some tests trying to reproduce the error. Here is my
explanation for the behavior I observed:

My filter consisted in selecting a number of saddr fields (dst host X or dst
host Y or ...). For some reason some flows have their 'saddr' and 'daddr'
exchanged when comparing the output generated by ra() with the option '-n'
and without it. As a consequence the amount of records displayed (lines
counted with wc) is different, as a different number of saddr is displayed
when using the filter.

The attached file demonstrate the problem. If you run this series of
commands you can find 2 records that have their saddr and daddr exchanged.
So a filter which is based in saddr or daddr, would have a different effect
depending on the use of the "-n" option.

$ ra -nn -r file.argus -s saddr,daddr > withN
$ ra -r file.argus -s saddr,daddr > withoutN
$ diff withN withoutN
284c284
<            1.0.6.1            1.0.2.1
---
>            1.0.2.1            1.0.6.1
929c929
<            1.0.6.1            1.0.2.1
---
>            1.0.2.1            1.0.6.1


--
Rafael Barbosa
http://www.vf.utwente.nl/~barbosarr/



On Tue, Sep 21, 2010 at 5:39 PM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:

> Hi all,
>
> I think I discovered a bug in ra() when using the "-n" option. I while
> trying to display the unique saddr and daddr in a argus file using ra() and
> some bash scripting I kept getting inconsistent results. In the end
> everything seems to boil down to the "-n" option. Basically I get a
> different set of results for one of my files depending if this option is
> used or not (in my understanding it should only change how the records are
> displayed).
>
> For example:
> $ ra -nn -r file.argus  -t 2009/01/22 - "some large filter" | wc -l
> 438457
> $ ra  -r file.argus  -t 2009/01/22 - "some large filter" | wc -l
> 438864
>
> I am trying to generate some file I could share that reproduce the error,
> but I am having some problems with it. If I try to copy the file:
>
> $ ra -w bug -nn -r file.argus  -t 2009/01/22 - "some large filter"
>
> Both "ra -r bug | wc" and "ra -r bug -nn | wc" give the same result
> (438457), while if I try:
>
> $ ra -w bug -r file.argus  -t 2009/01/22 - "some large filter"
>
> Both "ra -r bug | wc" and "ra -r bug -nn | wc" give the same result
> (438864).
>
> If I am able to generate some (anonymized) file I can share, I will post it
> afterwards.
> I am using version 3.0.3.17 of argus-clients.
>
> --
> Rafael Barbosa
> http://www.vf.utwente.nl/~barbosarr/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100922/777a69f2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file.argus
Type: application/octet-stream
Size: 224916 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100922/777a69f2/attachment.obj>

More information about the argus mailing list