Problems with "-n" option

Carter Bullard carter at qosient.com
Wed Sep 29 09:31:40 EDT 2010 

No that is not an expected outcome.
Carter

On Sep 29, 2010, at 8:41 AM, Rafael Barbosa wrote:

> Hi,
> 
> I understand that depending on the information used in the filter my results can change depending in the "-n" option.
> However in the example I sent, two flows have their saddr, daddr exchanged depending if the "-n" option is used. No filters used. Is that an expected behavior?
> 
> Rafael Barbosa
> http://www.vf.utwente.nl/~barbosarr/
> 
> 
> 
> On Fri, Sep 24, 2010 at 7:56 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Rafael,
> It is possible that the issue is in your filter, rather than the direction of the flows.
> ra* programs will use name resolution to see what to use when composing the
> filter. So, if you provide names or addresses in your filter, the argus compiler
> will try to grab all the addresses returned by bind for that string and create
> filter entries for all the returned addresses.
> 
> When you provide a "-n" we shouldn't go to bind for resolution, and so.... it maybe
> that the actual filter that you are creating is different depending on the "-n".
> 
> Run ra() with the -b option, that will dump the compiler output, and we can then compare
> the filters when you use and don't use "-n".
> 
> Carter
> 
> On Sep 22, 2010, at 8:51 AM, Rafael Barbosa wrote:
> 
>> Hi again,
>> 
>> Spend a while doing some tests trying to reproduce the error. Here is my explanation for the behavior I observed:
>> 
>> My filter consisted in selecting a number of saddr fields (dst host X or dst host Y or ...). For some reason some flows have their 'saddr' and 'daddr' exchanged when comparing the output generated by ra() with the option '-n' and without it. As a consequence the amount of records displayed (lines counted with wc) is different, as a different number of saddr is displayed when using the filter.
>> 
>> The attached file demonstrate the problem. If you run this series of commands you can find 2 records that have their saddr and daddr exchanged. So a filter which is based in saddr or daddr, would have a different effect depending on the use of the "-n" option.
>> 
>> $ ra -nn -r file.argus -s saddr,daddr > withN
>> $ ra -r file.argus -s saddr,daddr > withoutN
>> $ diff withN withoutN 
>> 284c284
>> <            1.0.6.1            1.0.2.1
>> ---
>> >            1.0.2.1            1.0.6.1
>> 929c929
>> <            1.0.6.1            1.0.2.1
>> ---
>> >            1.0.2.1            1.0.6.1
>> 
>> 
>> --
>> Rafael Barbosa
>> http://www.vf.utwente.nl/~barbosarr/
>> 
>> 
>> 
>> On Tue, Sep 21, 2010 at 5:39 PM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
>> Hi all,
>> 
>> I think I discovered a bug in ra() when using the "-n" option. I while trying to display the unique saddr and daddr in a argus file using ra() and some bash scripting I kept getting inconsistent results. In the end everything seems to boil down to the "-n" option. Basically I get a different set of results for one of my files depending if this option is used or not (in my understanding it should only change how the records are displayed).
>> 
>> For example:
>> $ ra -nn -r file.argus  -t 2009/01/22 - "some large filter" | wc -l
>> 438457
>> $ ra  -r file.argus  -t 2009/01/22 - "some large filter" | wc -l
>> 438864
>> 
>> I am trying to generate some file I could share that reproduce the error, but I am having some problems with it. If I try to copy the file:
>> 
>> $ ra -w bug -nn -r file.argus  -t 2009/01/22 - "some large filter" 
>> 
>> Both "ra -r bug | wc" and "ra -r bug -nn | wc" give the same result (438457), while if I try:
>> 
>> $ ra -w bug -r file.argus  -t 2009/01/22 - "some large filter" 
>> 
>> Both "ra -r bug | wc" and "ra -r bug -nn | wc" give the same result (438864).
>> 
>> If I am able to generate some (anonymized) file I can share, I will post it afterwards.
>> I am using version 3.0.3.17 of argus-clients.
>> 
>> --
>> Rafael Barbosa
>> http://www.vf.utwente.nl/~barbosarr/
>> 
>> 
>> <file.argus>
> 
> 

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100929/fffd536b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100929/fffd536b/attachment.bin>

More information about the argus mailing list