argus-3.0.7.5 and argus-clients-3.0.7.18 on the server

Jesper Skou Jensen jesper.skou.jensen at uni-c.dk
Tue Nov 26 09:18:47 EST 2013 

Hi,

MAYBE my Argus wasn't compiled right?

I took a copy of the build from this morning and compared with a "make 
clean; configure; make" fresh build and the the bin/argus file hasn't 
got the same md5sum. Though a "make clean; make" produces the same sum 
as the one from this morning.

The only difference I've made, is to install that zlib-dev package to 
get the argus-clients to compile right.

Regards
Jesper


On 26-11-2013 15:09, Jesper Skou Jensen wrote:
> Hi again,
>
> I'm running Argus on a Ubuntu 12.04 64bit box.
>
> I have made a few more tests.
>
> :~# rabins -m proto -M hard 1s -r new.ra_tcp -w new.ra.rabins
>
> :~# ra -c, -r new.ra.rabins
> StartTime,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,TotPkts,TotBytes,State
> 2013-11-26 08:59:56.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,42,17092,RST
> 2013-11-26 08:59:57.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,13069,7146344,RST
> 2013-11-26 08:59:58.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,22153,13783222,RST
> 2013-11-26 08:59:59.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,22915,14183156,RST
> 2013-11-26 09:00:00.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,31132,24033624,RST
> 2013-11-26 09:00:01.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,39863,31041200,RST
> 2013-11-26 09:00:02.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,39192,29982877,RST
> 2013-11-26 09:00:03.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,41933,32736196,RST
> 2013-11-26 09:00:04.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,1425771,27906492,RST
> 2013-11-26 09:00:05.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,1506384,29238753,RST
> 2013-11-26 09:00:06.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,1507208,30738591,RST
> [and so on until the counter goes completely haywire]
> 2013-11-26 09:12:48.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,797794923,60552173,RST
> 2013-11-26 09:12:49.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,524708445,57910501,RST
> 2013-11-26 09:12:50.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,481074976,56542127,RST
> 2013-11-26 09:12:51.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,468298779,59030688,RST
> 2013-11-26 09:12:52.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,468296156,55605938,RST
> 2013-11-26 09:12:53.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,468296374,56253772,RST
> 2013-11-26 09:12:54.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,1865562720437464,1127008872225385,RST
> 2013-11-26 09:12:55.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,441135061,59037550,RST
> 2013-11-26 09:12:56.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,2661123791534017,3460172017613613187,RST
> 2013-11-26 09:12:57.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,441134997,58596098,RST
> 2013-11-26 09:12:58.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,2656678500379720,101051059395042031,RST
> 2013-11-26 09:12:59.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,441137631,59840956,RST
> 2013-11-26 09:13:00.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,1188814894848872,182960092986404660,RST
> 2013-11-26 09:13:01.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,431265690,58555620,RST
> 2013-11-26 09:13:02.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,424319640,58103639,RST
> 2013-11-26 09:13:03.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,421342441,58419207,RST
> [and towards the end of the file]
> 2013-11-26 09:14:49.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,8444761242380627,292738444997133411,RST
> 2013-11-26 09:14:50.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,644919965942377,187465359791945283,RST
> 2013-11-26 09:14:51.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,2977851434645235,101051059372919085,RST
> 2013-11-26 09:14:52.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,578738536163405,94014215023230728,RST
> 2013-11-26 09:14:53.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,1642641127088000,288798147512237978,RST
> 2013-11-26 09:14:54.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,473597999054701,195629066118682560,RST
> 2013-11-26 09:14:55.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,4261291262971956,289923927150221213,RST
> 2013-11-26 09:14:56.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,3977501532263536,100491747284477729,RST
> 2013-11-26 09:14:57.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,2533043399182272,193657959585547021,RST
> 2013-11-26 09:14:58.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,2735894436062247,565715921474337,RST
> 2013-11-26 09:14:59.000000,tcp,0.0.0.0,*, 
> ->,0.0.0.0,*,3900865928893536,198161408877067769,RST
>
> It looks like it's never resetting the bytes/packet counter?
>
> When looking at the new.ra Argus log file, everything appears to be 
> just fine.
>
>
> PS. I'm running Argus with fairly standard options, but maybe -S 
> option is what confuses the new Argus?
> argus -i eth1 -P 561 -S 5 -e 1 -w /var/log/argus.log
>
>
> Regards
> Jesper
>
>
> On 26-11-2013 14:49, Carter Bullard wrote:
>> Hey Chris,
>> I've been running many combinations of  old vs new and I'm not seeing 
>> anything a miss, but all you need is one.
>>
>> Carter
>>
>>> On Nov 26, 2013, at 8:43 AM, Chris Wakelin 
>>> <c.d.wakelin at reading.ac.uk> wrote:
>>>
>>> I've been running 3.0.7.5 / 3.0.7.18 (replacing 3.0.7.4 / 3.0.7.16) on
>>> the student network for about an hour. Seems OK to me, with
>>> racount/ratop behaving as expected.
>>>
>>> Best Wishes,
>>> Chris
>>>
>>>> On 26/11/13 13:22, Carter Bullard wrote:
>>>> Hey Jesper,
>>>> This is why we have to test and test and test :O(
>>>> Something must have crept into the code, as other bizarreness is 
>>>> being reported. However, I am not seeing anything odd.  What 
>>>> machine type and OS are you using ???
>>>>
>>>> Did you print out any records to see if all were corrupt, or only 
>>>> one ??
>>>>
>>>> Can you send a sample argus-3.0.5 output file with the bad TCP 
>>>> data??  If you have a packet file that generates the corrupt data, 
>>>> can you share ???
>>>>
>>>> Sorry, shouldn't be hard to fix.
>>>>
>>>> Carter
>>>>
>>>>
>>>>> On Nov 26, 2013, at 7:13 AM, Jesper Skou Jensen 
>>>>> <jesper.skou.jensen at uni-c.dk> wrote:
>>>>>
>>>>> Now that my compiling issues are fixed, I've moved on to testing 
>>>>> the new Argus and clients.
>>>>>
>>>>> I'm getting some funky results with eg. racount, but ragraph is 
>>>>> weird too I think and maybe more ra-clients that I haven't tested 
>>>>> with. It looks like an issue with the Argus server and TCP packets.
>>>>>
>>>>> Test with argus file written earlier today with Argus version 3.0.7.3
>>>>> :~# racount -r old.ra
>>>>> racount   records     total_pkts     src_pkts dst_pkts 
>>>>> total_bytes        src_bytes          dst_bytes
>>>>>    sum   4039147     58347562       36023110 22324452 
>>>>> 38558018790        8629875276         29928143514
>>>>>
>>>>> Test with argus file written just now with Argus version 3.0.7.5
>>>>> :~# racount -r new
>>>>> racount   records     total_pkts     src_pkts dst_pkts 
>>>>> total_bytes        src_bytes          dst_bytes
>>>>>    sum   4784540     228845934958855649 218118303098026684 
>>>>> 10727631860828965 -6720755720319015608 -7008709186520164355 
>>>>> 287953466201148747
>>>>>
>>>>> :~# racount -r new - not tcp
>>>>> racount   records     total_pkts     src_pkts dst_pkts 
>>>>> total_bytes        src_bytes          dst_bytes
>>>>>    sum   2852715     23749856       19396421       4353435 
>>>>> 4238739977         3599987646         638752331
>>>>>
>>>>> :~# racount -r new - tcp
>>>>> racount   records     total_pkts     src_pkts dst_pkts 
>>>>> total_bytes        src_bytes          dst_bytes
>>>>>    sum   1931826     228845934935105793 218118303078630263 
>>>>> 10727631856475530 -6720755724557755585 -7008709190120152001 
>>>>> 287953465562396416
>>>>>
>>>>>
>>>>> Regards
>>>>> Jesper
>>>>>
>>>>>> On 25-11-2013 18:46, Carter Bullard wrote:
>>>>>> Gentle people,
>>>>>> New software is available on the developers site.  This is a big 
>>>>>> push
>>>>>> to release, and the packages fix all bugs reported to the mailing 
>>>>>> list.
>>>>>> Argus fixes some direction issues with ARP transactions, and the 
>>>>>> clients
>>>>>> fix a number of issues with filters, radium management records, and
>>>>>> adds xz decompression for argus data files.  Many changes to 
>>>>>> manpages,
>>>>>> and there should be new scripts for updating IANA RIR data fetching,
>>>>>> to maintain the delegated ip address tables.   There is 
>>>>>> improvement in
>>>>>> GeoIP database use, with some extensions added based on changes in
>>>>>> the API.  The code is in the standard places:
>>>>>>
>>>>>>    http://qosient.com/argus/dev/argus-latest.tar.gz
>>>>>> http://qosient.com/argus/dev/argus-clients-latest.tar.gz
>>>>>>
>>>>>> Please give these a run, and if there are any problems, get those
>>>>>> complaints in there, so we can release 3.0.8 by the end of the year.
>>>>>>
>>>>>> Hope all is most excellent,
>>>>>>
>>>>>> Carter
>>>
>>> -- 
>>> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- 
>>>
>>> Christopher Wakelin, c.d.wakelin at reading.ac.uk
>>> IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 
>>> 2908
>>> Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 
>>> 3094
>>>
>

More information about the argus mailing list