Problems with racluster

Carter Bullard carter at qosient.com
Tue Sep 25 18:44:31 EDT 2012 

Hey Rafael,
OK, so I'm fixing this now, and there is a curious situation. You've got these flows:

    A.xxx  ->  B.yyy  with indications of Syn, SynAck and Reset
    B.yyy <?>  A.xxx  with SynAck and Reset
    B.yyy  ->  A.xxx  with Syn, SynAck and Reset

So, the correct output after aggregation is to have two records output
    A.xxx  ->  B.yyy  with indications of Syn, SynAck and Reset
    B.yyy  ->  A.xxx  with Syn, SynAck and Reset

The curious thing is, do you think that argus  is making the correct  assignments ?

Carter

On Sep 25, 2012, at 5:56 AM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:

> Hi again,
> 
> I still see some subnetwork aggregation. Most of it at roughly the same time, so hopefully they are caused by the same bug. Same config as before.
> 
> The error appear when running:
> $> ~/workspace/argus-clients-3.0.7.2-patch/bin/racluster -r part1 part2 -f ~/config/racluster.conf
> 
> I see another subnet aggregation later in the trace, but I am having problems replicating it in a small test. I will try again when I get some more free time.
> 
> I uploaded parts.tar.gz containing part1 and part2 to the ftp.
> 
> Rafael Barbosa
> http://www.ewi.utwente.nl/~barbosarr/
> 
> 
> 
> On Wed, Sep 19, 2012 at 5:11 AM, Carter Bullard <carter at qosient.com> wrote:
> Hey Rafael and Harika,
> Use this racluster.c with your argus-clients-3.0.7.2, to see if it solves that last direction problem you reported.
> Thanks !!!!
> 
> Carter
> 
> 
> 
> On Sep 13, 2012, at 5:09 AM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
> 
>> Hi Carter,
>> 
>> I still see some records aggregated by subnet (?!), with the same racluster.conf.
>> I will upload 2 more files (preagg2.argus and preagg3.argus) where I see the bug.
>> 
>> Rafael Barbosa
>> http://www.ewi.utwente.nl/~barbosarr/
>> 
>> 
>> 
>> On Wed, Sep 12, 2012 at 3:42 PM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
>> Hi Carter,
>> 
>> The new version seems to have solved the issue. As a bonus, is also seems to have solved the direction bug when the SYN packet is missing I reported in another thread.
>> 
>> I will start some larger tests and let you know if I run in other issues.
>> 
>> Thanks!
>> Rafael Barbosa
>> http://www.ewi.utwente.nl/~barbosarr/
>> 
>> 
>> 
>> On Wed, Sep 12, 2012 at 2:34 PM, Carter Bullard <carter at qosient.com> wrote:
>> Hey Rafael,
>> Try this version of argus-clients-3.0.7.2. Had to modify too many files to send a simple patch.
>> Should do the trick.
>> Carter
>> 
>> 
>> 
>> On Sep 12, 2012, at 5:19 AM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
>> 
>>> Hi Carter,
>>> 
>>> I am still having problems with the patch. My aggregation strategy is the same:
>>> $> cat racluster.conf 
>>> #Filter:every record, no record status output, record time out 5min
>>> filter="" status=0 status=60 idle=300
>>> 
>>> However I see some records aggregated by subnetwork(?!). If I run:
>>> $> ~/workspace/argus-clients-3.0.7.1-patch2/bin/racluster -r preagg.argus -f racluster.conf -s saddr,sport,dir,daddr,dport
>>> 
>>> One of the lines read:
>>> 172.31.0.0.*         ->         172.31.0.0.*
>>> 
>>> I will upload preagg.argus to the ftp.
>>> 
>>> Best regards,
>>> Rafael Barbosa
>>> http://www.ewi.utwente.nl/~barbosarr/
>>> 
>>> 
>>> 
>>> On Mon, Sep 10, 2012 at 5:42 PM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
>>> Hi again,
>>> 
>>> Ok. That makes sense to me. 
>>> 
>>> My goal was to have a TCP flow == 1 record and I assumed because of the SYN and FIN packets these records would not be aggregated. But I think the output of racluster is now sufficient for my purposes.
>>> 
>>> Best regards,
>>> Rafael Barbosa
>>> http://www.ewi.utwente.nl/~barbosarr/
>>> 
>>> 
>>> On Mon, Sep 10, 2012 at 3:13 PM, Carter Bullard <carter at qosient.com> wrote:
>>> Hey Rafael,
>>> I believe that its now working as advertised.  
>>> 
>>> Your " f1 " is done at 15:09:30.971092 and " f2 " starts at 15:11:52.493899,  which is
>>> only 141.522 seconds of idle time.  So you're racluster.conf strategy should only generate
>>> 1 flow record.  If you want to see status records at shorter intervals, but have the 300
>>> second idle time, add something to your status timer value, like 60 or 120 seconds.
>>> 
>>> Carter
>>> 
>>> 
>>> 
>> 
>> 
>> 
>> 
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120925/185fb3be/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120925/185fb3be/attachment.bin>

More information about the argus mailing list