Problem with source labels

Carter Bullard carter at qosient.com
Wed Dec 11 16:55:29 EST 2013 

Hey David,
Sorry for the delayed response !!!  OK, so all fixed in the newest code
that should go up later this week.

Thanks again for the bug !!!
Carter


On Dec 6, 2013, at 4:21 PM, David <lists at edeca.net> wrote:

> On 05/12/2013 20:03, Carter Bullard wrote:
>> Hey David,
>> Its not the client code, they will do the right thing if argus identifies the format of the source id correctly.
>> Do you have an /etc/argus.conf file that defines the source id ?
>> If you run argus this way, does it get better ?
>> 
>>   argus -Xe \”1234\” -w - | ra -s +srcid
>> 
>> The X tells argus not to parse the /etc/argus.conf file.
> 
> Carter,
> 
> This isn't the problem.  It appears to be a behaviour (perhaps bug) in
> argus itself, rather than the clients.
> 
> This works:
> 
> argus -X -e '"1234"' -i eth0 -w - | ra -s srcid
> 
> This does not:
> 
> argus -X -i eth0 -e '"1234"' -w - | ra -s srcid
> 
>  ArgusWarning: 06 Dec 13 17:49:15.373979 started
>  ArgusWarning: 06 Dec 13 17:49:15.393885 ArgusGetInterfaceStatus:
> interface eth0 is up
>             SrcId
>       50.49.66.65
> 
> That is if the -i option precedes -e then srcid labels are printed
> incorrectly.  Above the srcid of AB12 is printed as 50.49.66.65.
> 
> When I first looked I assumed it was being interpreted as an IP address,
> but a closer look shows that these are actually the decimal values of
> the ASCII characters (reversed).
> 
> Looking in common/argus_client.c it switches on
> trans->hdr.argus_dsrvl8.qual (line ~1850).  This is correctly set to
> 0x21 (ARGUS_TYPE_STRING) in the working example but is 0 when the
> interface argument comes first.
> 
> Adding debug messages for ArgusUpdateBasicFlow() in argus/ArgusModeler.c
> shows:
> 
> # Working
> 06 Dec 13 21:10:47.177515 ArgusUpdateBasicFlow() device->idtype: 33
> 
> # Non-working
> 06 Dec 13 21:11:27.867861 ArgusUpdateBasicFlow() device->idtype: 0
> 
> Because this is set to 0 the switch statement in the clients falls
> through to the default and is treated as an integer, see below debug
> output from ra:
> 
> ra[31960]: 17:47:29.816258 In case ARGUS_TYPE_IPV4, value 842089025
> ra[31960]: 17:47:29.816274 String would be: AB12
>       50.49.66.65
> 
> So when the -i option is provided before -e it appears that the srcid
> type is being incorrectly set to 0, which does not appear to be a valid
> ARGUS_TYPE_* value.
> 
> I have tested this on x86 and x64 and dropped gcc to -O2 just to be
> sure.  Using argus-3.0.7.5 and argus-clients-3.0.7.18.
> 
> Is the above expected behaviour?
> 
> David
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20131211/99ef9489/attachment.bin>

More information about the argus mailing list