argus-3.0.7.5 and argus-clients-3.0.7.18 on the server
Jesper Skou Jensen
jesper.skou.jensen at uni-c.dk
Tue Nov 26 09:09:20 EST 2013
Hi again,
I'm running Argus on a Ubuntu 12.04 64bit box.
I have made a few more tests.
:~# rabins -m proto -M hard 1s -r new.ra_tcp -w new.ra.rabins
:~# ra -c, -r new.ra.rabins
StartTime,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,TotPkts,TotBytes,State
2013-11-26 08:59:56.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,42,17092,RST
2013-11-26 08:59:57.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,13069,7146344,RST
2013-11-26 08:59:58.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,22153,13783222,RST
2013-11-26 08:59:59.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,22915,14183156,RST
2013-11-26 09:00:00.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,31132,24033624,RST
2013-11-26 09:00:01.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,39863,31041200,RST
2013-11-26 09:00:02.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,39192,29982877,RST
2013-11-26 09:00:03.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,41933,32736196,RST
2013-11-26 09:00:04.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,1425771,27906492,RST
2013-11-26 09:00:05.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,1506384,29238753,RST
2013-11-26 09:00:06.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,1507208,30738591,RST
[and so on until the counter goes completely haywire]
2013-11-26 09:12:48.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,797794923,60552173,RST
2013-11-26 09:12:49.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,524708445,57910501,RST
2013-11-26 09:12:50.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,481074976,56542127,RST
2013-11-26 09:12:51.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,468298779,59030688,RST
2013-11-26 09:12:52.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,468296156,55605938,RST
2013-11-26 09:12:53.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,468296374,56253772,RST
2013-11-26 09:12:54.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,1865562720437464,1127008872225385,RST
2013-11-26 09:12:55.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,441135061,59037550,RST
2013-11-26 09:12:56.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,2661123791534017,3460172017613613187,RST
2013-11-26 09:12:57.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,441134997,58596098,RST
2013-11-26 09:12:58.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,2656678500379720,101051059395042031,RST
2013-11-26 09:12:59.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,441137631,59840956,RST
2013-11-26 09:13:00.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,1188814894848872,182960092986404660,RST
2013-11-26 09:13:01.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,431265690,58555620,RST
2013-11-26 09:13:02.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,424319640,58103639,RST
2013-11-26 09:13:03.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,421342441,58419207,RST
[and towards the end of the file]
2013-11-26 09:14:49.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,8444761242380627,292738444997133411,RST
2013-11-26 09:14:50.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,644919965942377,187465359791945283,RST
2013-11-26 09:14:51.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,2977851434645235,101051059372919085,RST
2013-11-26 09:14:52.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,578738536163405,94014215023230728,RST
2013-11-26 09:14:53.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,1642641127088000,288798147512237978,RST
2013-11-26 09:14:54.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,473597999054701,195629066118682560,RST
2013-11-26 09:14:55.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,4261291262971956,289923927150221213,RST
2013-11-26 09:14:56.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,3977501532263536,100491747284477729,RST
2013-11-26 09:14:57.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,2533043399182272,193657959585547021,RST
2013-11-26 09:14:58.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,2735894436062247,565715921474337,RST
2013-11-26 09:14:59.000000,tcp,0.0.0.0,*,
->,0.0.0.0,*,3900865928893536,198161408877067769,RST
It looks like it's never resetting the bytes/packet counter?
When looking at the new.ra Argus log file, everything appears to be just
fine.
PS. I'm running Argus with fairly standard options, but maybe -S option
is what confuses the new Argus?
argus -i eth1 -P 561 -S 5 -e 1 -w /var/log/argus.log
Regards
Jesper
On 26-11-2013 14:49, Carter Bullard wrote:
> Hey Chris,
> I've been running many combinations of old vs new and I'm not seeing anything a miss, but all you need is one.
>
> Carter
>
>> On Nov 26, 2013, at 8:43 AM, Chris Wakelin <c.d.wakelin at reading.ac.uk> wrote:
>>
>> I've been running 3.0.7.5 / 3.0.7.18 (replacing 3.0.7.4 / 3.0.7.16) on
>> the student network for about an hour. Seems OK to me, with
>> racount/ratop behaving as expected.
>>
>> Best Wishes,
>> Chris
>>
>>> On 26/11/13 13:22, Carter Bullard wrote:
>>> Hey Jesper,
>>> This is why we have to test and test and test :O(
>>> Something must have crept into the code, as other bizarreness is being reported. However, I am not seeing anything odd. What machine type and OS are you using ???
>>>
>>> Did you print out any records to see if all were corrupt, or only one ??
>>>
>>> Can you send a sample argus-3.0.5 output file with the bad TCP data?? If you have a packet file that generates the corrupt data, can you share ???
>>>
>>> Sorry, shouldn't be hard to fix.
>>>
>>> Carter
>>>
>>>
>>>> On Nov 26, 2013, at 7:13 AM, Jesper Skou Jensen <jesper.skou.jensen at uni-c.dk> wrote:
>>>>
>>>> Now that my compiling issues are fixed, I've moved on to testing the new Argus and clients.
>>>>
>>>> I'm getting some funky results with eg. racount, but ragraph is weird too I think and maybe more ra-clients that I haven't tested with. It looks like an issue with the Argus server and TCP packets.
>>>>
>>>> Test with argus file written earlier today with Argus version 3.0.7.3
>>>> :~# racount -r old.ra
>>>> racount records total_pkts src_pkts dst_pkts total_bytes src_bytes dst_bytes
>>>> sum 4039147 58347562 36023110 22324452 38558018790 8629875276 29928143514
>>>>
>>>> Test with argus file written just now with Argus version 3.0.7.5
>>>> :~# racount -r new
>>>> racount records total_pkts src_pkts dst_pkts total_bytes src_bytes dst_bytes
>>>> sum 4784540 228845934958855649 218118303098026684 10727631860828965 -6720755720319015608 -7008709186520164355 287953466201148747
>>>>
>>>> :~# racount -r new - not tcp
>>>> racount records total_pkts src_pkts dst_pkts total_bytes src_bytes dst_bytes
>>>> sum 2852715 23749856 19396421 4353435 4238739977 3599987646 638752331
>>>>
>>>> :~# racount -r new - tcp
>>>> racount records total_pkts src_pkts dst_pkts total_bytes src_bytes dst_bytes
>>>> sum 1931826 228845934935105793 218118303078630263 10727631856475530 -6720755724557755585 -7008709190120152001 287953465562396416
>>>>
>>>>
>>>> Regards
>>>> Jesper
>>>>
>>>>> On 25-11-2013 18:46, Carter Bullard wrote:
>>>>> Gentle people,
>>>>> New software is available on the developers site. This is a big push
>>>>> to release, and the packages fix all bugs reported to the mailing list.
>>>>> Argus fixes some direction issues with ARP transactions, and the clients
>>>>> fix a number of issues with filters, radium management records, and
>>>>> adds xz decompression for argus data files. Many changes to manpages,
>>>>> and there should be new scripts for updating IANA RIR data fetching,
>>>>> to maintain the delegated ip address tables. There is improvement in
>>>>> GeoIP database use, with some extensions added based on changes in
>>>>> the API. The code is in the standard places:
>>>>>
>>>>> http://qosient.com/argus/dev/argus-latest.tar.gz
>>>>> http://qosient.com/argus/dev/argus-clients-latest.tar.gz
>>>>>
>>>>> Please give these a run, and if there are any problems, get those
>>>>> complaints in there, so we can release 3.0.8 by the end of the year.
>>>>>
>>>>> Hope all is most excellent,
>>>>>
>>>>> Carter
>>
>> --
>> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
>> Christopher Wakelin, c.d.wakelin at reading.ac.uk
>> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
>> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
>>
More information about the argus
mailing list