Argus TCP state machine fixes

Carter Bullard carter at qosient.com
Mon Oct 8 17:26:25 EDT 2012 

Hey Rafael,
So I have fixed argus's issues with your very interesting sets of pcaps.
They were a bit confusing at first, even wireshark doesn't really like them
at all, but I've got argus doing well with your specific files.

Because the fixes have changed some basic TCP state machine code, 
which hasn't been modified in quite a while, we'll need some time to test
this logic out.

As a result, I'm releasing the fixes in argus-3.0.7.1, but  not in the
argus-3.0.6 release tree, until a good amount of testing, if at all.

I should have the new argus up later today.
I still have Napatech board support to put into argus, and there are
fixes that I need to add for PF_RING extended support.  These fixes
will be in argus-3.0.7.2 which should come out later this week.

Hope all is most excellent,

Carter


On Oct 8, 2012, at 4:09 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Rafael,
> So I've been going through your part2.pcap, and its really screwed up.
> Did you capture this from normal traffic or did you fabricate the packets?
> If fabricated, I'd say don't do that any more.  
> 
> If you just captured it, could you describe how it is that you came upon
> this stream of packets?  Can you describe the end systems that generated
> this?
> 
> Carter
> 
> 
> 
> On Sep 28, 2012, at 4:51 AM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
> 
>> Hi Carter,
>> 
>> Good news. This latest version of racluster() seems to solve all aggregation issues reported in this thread. 
>> 
>> Let me know about the possible bug in argus, due to the packet duplicates.
>> 
>> Best regards,
>> Rafael Barbosa
>> http://www.ewi.utwente.nl/~barbosarr/
>> 
>> 
>> 
>> On Wed, Sep 26, 2012 at 1:14 AM, Carter Bullard <carter at qosient.com> wrote:
>> Hey Rafael,
>> OK, so this racluster.c should fix the last set of problems.  Run this against your
>> data sets to see if its close to what you expect.
>> 
>> Carter
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121008/24d65149/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121008/24d65149/attachment.bin>

More information about the argus mailing list