radecode man page

elof2 at sentor.se elof2 at sentor.se
Wed Jul 10 08:43:44 EDT 2013 

Hi David!

Thanks for your script, it is exactly what I was looking for!
Absolutely fantastic!
To make it even more awesome, see my improvement requests below.

Carter, this mean that all my requests for new printers in ra* is 
obsolete. This tool does it all.






I found a typo in the manual page:
"Due to limitations in test2pcap" it should read "text2pcap", shouldn't 
it?


...and a bug in the perl script:
No tcp packets are printed due to a missing escape in front of the last 
\d+ of the dst IP in the tcp regexp:
if (/^\s*tcp\s+(\d+)\s+(\d+)\s+(\d+\.\d+)\s+(\d+\.\d+\.\d+\.\d+)\s+(\d+\.\d+\.\d+\.d+)\s+([0-9a-f\:]{17})\s+([0-9a-f\:]{17})\s+(\d+)\s+(\d+)/) 
if (/^\s*tcp\s+(\d+)\s+(\d+)\s+(\d+\.\d+)\s+(\d+\.\d+\.\d+\.\d+)\s+(\d+\.\d+\.\d+\.\d+)\s+([0-9a-f\:]{17})\s+([0-9a-f\:]{17})\s+(\d+)\s+(\d+)/) 
___________________________________________________________________________________^



Another bug I haven't fully understood yet:
The script completely ignores some tcp flows...

If I run 'radecode -N o1 -r foo.log - tcp' I get:
Input from: Standard input
Output to: /tmp/tmp.0.hPhvZI
Generate dummy Ethernet header: Protocol: 0x800
Generate dummy IP header: Protocol: 6
Generate dummy TCP header: Source port: 49549. Dest port: 8100
Wrote packet of 120 bytes at 0
Read 1 potential packet, wrote 1 packet
   1   0.000000    10.2.3.4 -> 10.8.8.8   TCP 174 49549 > 8100 [<None>] Seq=1 Win=8192 Len=120

Now, I increase it to 3:
'radecode -N o3 -r foo.log - tcp'
Input from: Standard input
Output to: /tmp/tmp.0.8zBthN
Generate dummy Ethernet header: Protocol: 0x800
Generate dummy IP header: Protocol: 6
Generate dummy TCP header: Source port: 80. Dest port: 52520
Wrote packet of 120 bytes at 0
Wrote packet of 120 bytes at 120
Read 2 potential packets, wrote 2 packets
   1   0.000000     10.3.3.3 -> 10.2.2.2     HTTP 174 Continuation or non-HTTP traffic
   2   0.000001     10.3.3.3 -> 10.2.2.2     HTTP 174 HTTP/1.0 200 OK [Unreassembled Packet]
   3   0.000002     10.3.3.3 -> 10.2.2.2     HTTP 174 HTTP/1.0 200 OK [Unreassembled Packet]

Huh? The first line is no longer 10.2.3.4 -> 10.8.8.8, instead *all* lines 
just repeat the IPs 10.3.3.3 -> 10.2.2.2.

Strange!

If I remove the -N option, 'radecode -r foo.log - tcp', and process the 
whole foo.log, the script bail completely. It takes a few seconds to chew 
through the file and then it just terminates. Nothing is printed at all.
Even more strange!


Can it be that my foo.log contain both flows with user data mixed 
with flows that completely lack both suser and duser data? (flows 
like these: S_, SA_SA, A_A, FA_FA, S_RA, _RA, FA_, SA_, RA_, FSA_FSA, 
FA_A, SA_SA, S_SA, A_, FA_FRA, etc). These flows will be printed by 
ra on one line and then a next flow immediately on the next line with no 
hex dump or newline in between.






Other stuff...

Perhaps you should print some informational error messages if tshark or 
text2pcap is not found?



I have a sort of silly request to you (and Carter);
Now that your script is to be included in the official argus-clients 
package, couldn't the tool be renamed 'rashark' instead of 'radecode'?
This indicates a dependency to tshark, it is easier to remember its name 
in the growing family of ra* tools and when passing tshark options to 
it (see below) it simply looks better with "rashark" in front of them.



Another request:
radecode applies the -X option in order not to load any ra.conf file.
However, options sent via commandline are still loaded.
Could you make a filter to remove ra-options that are known to break 
radecode?
I don't know exactly what options that break radecode, but the -n and -F 
options do. So could you please filter them out from @ARGS if any is 
present?
I usually start typing "ra -nr foo.log" and then add options and filters 
as I go along, often ending up with something like:

   ra -F /etc/ra.conf.data -N o10 -t 14 -Zb -nr foo.log - udp and port 137

I am lazy, so I would like to simply be able to change *one* place in the 
cmdline, not having to also manually remove the -n and the '-F 
/etc/ra.conf.data'. I.e. I just want to add "shark" after "ra":

   rashark -F /etc/ra.conf.data -N o10 -t 14 -Zb -nr foo.log - udp and port 137

   (ctrl-a, right arrow, right arrow, s, h, a, r, k, return)



...another request:
Could you please add a separator that separates options to send to tshark 
from the options to send to ra?

...and remove the default -V option you currently use...

Like this:
   rashark -V - -nr foo.log - udp and port 137

"-V" is passed to tshark
"-nr foo.log - udp and port 137" is passed to ra
= displaying one page of text per packet


   rashark - -nr foo.log - udp and port 137
   or
   rashark -nr foo.log - udp and port 137
= displaying one line per packet as per default tshark behaviour


   rashark -n -o column.format:'"No.", "%m", "Time", "%t", "Source", "%s", 
"sPort", "%uS", "Destination", "%d", "dPort", "%uD", "Host", 
"%Cus:http.host", "URI", "%Cus:http.request.uri", "Referer", 
"%Cus:http.referer"' -R 'http.request.uri' - -nr foo.log - port 80

= displaying one custom line per packet that contains HTTP GET requests




...another request (to Carter and David):
Carter)
Could you add a new keyword in rarc for options to pass to tshark?
Example:
   RASHARK_TSHARK_OPTIONS="-n"
to always disable name resolution in tshark. Or adding a "-o 
column.format:" for custom output, "-o tcp.desegment_tcp_streams:FALSE" 
to get rid of all those pesky [TCP segment of a reassembled PDU], etc.

David)
Can you make rashark read the ra.conf in the same manner as all other ra* 
tools?
"Ra* clients will open this file if its in the users $HOME directory, or
in the $ARGUSHOME directory, and parse it to set common configuration
options."


David)
Continued from the ra manual above: "All of these values will be overriden 
by options set on the command line, or in the file specified using the '-F 
conffile' option."

That means another argument separator is needed, giving us three sets of 
options; one set for rashark itself, one to pass to tshark and one to pass 
to ra.

   rashark -F /tmp/ra.conf - -v - -nr foo.log - udp and port 137

"-F /tmp/ra.conf" is used by rashark itself
"-V" is passed to tshark
"-nr foo.log - udp and port 137" is passed to ra
= displaying one page of text per packet (without any name resolution if 
/tmp/ra.conf contains RASHARK_TSHARK_OPTIONS="-n")





I haven't analysed this, but when I look at the perl script I see:
my $raoptions = " -X -n -u -p 3  -M printer='hex' -L -1 -s proto sport 
dport stime saddr daddr smac dmac sttl stcpb suser:2000";

Shouldn't it be like this instead:
my $raoptions_src = " -X -n -u -p 3  -M printer='hex' -L -1 -s proto sport 
dport stime saddr daddr smac dmac sttl stcpb suser:2000";
my $raoptions_dst = " -X -n -u -p 3  -M printer='hex' -L -1 -s proto sport 
dport stime saddr daddr smac dmac sttl stcpb duser:2000";
...and...
$sttl = $8;   -->  $dttl = $8;
$stcpb = $9;  -->  $dtcpb = $9;

...and then the rest of the script is looped twice, generating one packet 
for the suser data and another packet for the duser data.
?




Lots of questions and requests, This is just because of how awesome this 
tool can become.

/Elof




On Tue, 9 Jul 2013, David Edelman wrote:

>
> The minimalist approach to a man page but I'm always happy to hear from
> anyone who knows of a tool that does the troff markup in a painless fashion.
> I'm also interested in hearing is there is anyone out there who grocks info.
>
> --Dave
>

More information about the argus mailing list