argus-3.0.7.5 and argus-clients-3.0.7.18 on the server
Carter Bullard
carter at qosient.com
Tue Nov 26 11:18:19 EST 2013
Hey Jesper,
Based on this it appears to be more complex than just
argus generating bad records and ra not reading properly ???
If you take rabins() out of the equation, you indicated that you get reasonable results ???
If this is a rabins() problem, can you run it with a time range
of say 10s ??? Does the problem go away ????
I wouldn’t worry about the md5 checksum. Compilers can add all
sorts of stuff to the binary that can vary from run to run.
Carter
On Nov 26, 2013, at 9:09 AM, Jesper Skou Jensen <jesper.skou.jensen at uni-c.dk> wrote:
> Hi again,
>
> I'm running Argus on a Ubuntu 12.04 64bit box.
>
> I have made a few more tests.
>
> :~# rabins -m proto -M hard 1s -r new.ra_tcp -w new.ra.rabins
>
> :~# ra -c, -r new.ra.rabins
> StartTime,Proto,SrcAddr,Sport,Dir,DstAddr,Dport,TotPkts,TotBytes,State
> 2013-11-26 08:59:56.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,42,17092,RST
> 2013-11-26 08:59:57.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,13069,7146344,RST
> 2013-11-26 08:59:58.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,22153,13783222,RST
> 2013-11-26 08:59:59.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,22915,14183156,RST
> 2013-11-26 09:00:00.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,31132,24033624,RST
> 2013-11-26 09:00:01.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,39863,31041200,RST
> 2013-11-26 09:00:02.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,39192,29982877,RST
> 2013-11-26 09:00:03.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,41933,32736196,RST
> 2013-11-26 09:00:04.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,1425771,27906492,RST
> 2013-11-26 09:00:05.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,1506384,29238753,RST
> 2013-11-26 09:00:06.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,1507208,30738591,RST
> [and so on until the counter goes completely haywire]
> 2013-11-26 09:12:48.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,797794923,60552173,RST
> 2013-11-26 09:12:49.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,524708445,57910501,RST
> 2013-11-26 09:12:50.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,481074976,56542127,RST
> 2013-11-26 09:12:51.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,468298779,59030688,RST
> 2013-11-26 09:12:52.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,468296156,55605938,RST
> 2013-11-26 09:12:53.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,468296374,56253772,RST
> 2013-11-26 09:12:54.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,1865562720437464,1127008872225385,RST
> 2013-11-26 09:12:55.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,441135061,59037550,RST
> 2013-11-26 09:12:56.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,2661123791534017,3460172017613613187,RST
> 2013-11-26 09:12:57.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,441134997,58596098,RST
> 2013-11-26 09:12:58.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,2656678500379720,101051059395042031,RST
> 2013-11-26 09:12:59.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,441137631,59840956,RST
> 2013-11-26 09:13:00.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,1188814894848872,182960092986404660,RST
> 2013-11-26 09:13:01.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,431265690,58555620,RST
> 2013-11-26 09:13:02.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,424319640,58103639,RST
> 2013-11-26 09:13:03.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,421342441,58419207,RST
> [and towards the end of the file]
> 2013-11-26 09:14:49.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,8444761242380627,292738444997133411,RST
> 2013-11-26 09:14:50.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,644919965942377,187465359791945283,RST
> 2013-11-26 09:14:51.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,2977851434645235,101051059372919085,RST
> 2013-11-26 09:14:52.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,578738536163405,94014215023230728,RST
> 2013-11-26 09:14:53.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,1642641127088000,288798147512237978,RST
> 2013-11-26 09:14:54.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,473597999054701,195629066118682560,RST
> 2013-11-26 09:14:55.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,4261291262971956,289923927150221213,RST
> 2013-11-26 09:14:56.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,3977501532263536,100491747284477729,RST
> 2013-11-26 09:14:57.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,2533043399182272,193657959585547021,RST
> 2013-11-26 09:14:58.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,2735894436062247,565715921474337,RST
> 2013-11-26 09:14:59.000000,tcp,0.0.0.0,*, ->,0.0.0.0,*,3900865928893536,198161408877067769,RST
>
> It looks like it's never resetting the bytes/packet counter?
>
> When looking at the new.ra Argus log file, everything appears to be just fine.
>
>
> PS. I'm running Argus with fairly standard options, but maybe -S option is what confuses the new Argus?
> argus -i eth1 -P 561 -S 5 -e 1 -w /var/log/argus.log
>
>
> Regards
> Jesper
>
>
> On 26-11-2013 14:49, Carter Bullard wrote:
>> Hey Chris,
>> I've been running many combinations of old vs new and I'm not seeing anything a miss, but all you need is one.
>>
>> Carter
>>
>>> On Nov 26, 2013, at 8:43 AM, Chris Wakelin <c.d.wakelin at reading.ac.uk> wrote:
>>>
>>> I've been running 3.0.7.5 / 3.0.7.18 (replacing 3.0.7.4 / 3.0.7.16) on
>>> the student network for about an hour. Seems OK to me, with
>>> racount/ratop behaving as expected.
>>>
>>> Best Wishes,
>>> Chris
>>>
>>>> On 26/11/13 13:22, Carter Bullard wrote:
>>>> Hey Jesper,
>>>> This is why we have to test and test and test :O(
>>>> Something must have crept into the code, as other bizarreness is being reported. However, I am not seeing anything odd. What machine type and OS are you using ???
>>>>
>>>> Did you print out any records to see if all were corrupt, or only one ??
>>>>
>>>> Can you send a sample argus-3.0.5 output file with the bad TCP data?? If you have a packet file that generates the corrupt data, can you share ???
>>>>
>>>> Sorry, shouldn't be hard to fix.
>>>>
>>>> Carter
>>>>
>>>>
>>>>> On Nov 26, 2013, at 7:13 AM, Jesper Skou Jensen <jesper.skou.jensen at uni-c.dk> wrote:
>>>>>
>>>>> Now that my compiling issues are fixed, I've moved on to testing the new Argus and clients.
>>>>>
>>>>> I'm getting some funky results with eg. racount, but ragraph is weird too I think and maybe more ra-clients that I haven't tested with. It looks like an issue with the Argus server and TCP packets.
>>>>>
>>>>> Test with argus file written earlier today with Argus version 3.0.7.3
>>>>> :~# racount -r old.ra
>>>>> racount records total_pkts src_pkts dst_pkts total_bytes src_bytes dst_bytes
>>>>> sum 4039147 58347562 36023110 22324452 38558018790 8629875276 29928143514
>>>>>
>>>>> Test with argus file written just now with Argus version 3.0.7.5
>>>>> :~# racount -r new
>>>>> racount records total_pkts src_pkts dst_pkts total_bytes src_bytes dst_bytes
>>>>> sum 4784540 228845934958855649 218118303098026684 10727631860828965 -6720755720319015608 -7008709186520164355 287953466201148747
>>>>>
>>>>> :~# racount -r new - not tcp
>>>>> racount records total_pkts src_pkts dst_pkts total_bytes src_bytes dst_bytes
>>>>> sum 2852715 23749856 19396421 4353435 4238739977 3599987646 638752331
>>>>>
>>>>> :~# racount -r new - tcp
>>>>> racount records total_pkts src_pkts dst_pkts total_bytes src_bytes dst_bytes
>>>>> sum 1931826 228845934935105793 218118303078630263 10727631856475530 -6720755724557755585 -7008709190120152001 287953465562396416
>>>>>
>>>>>
>>>>> Regards
>>>>> Jesper
>>>>>
>>>>>> On 25-11-2013 18:46, Carter Bullard wrote:
>>>>>> Gentle people,
>>>>>> New software is available on the developers site. This is a big push
>>>>>> to release, and the packages fix all bugs reported to the mailing list.
>>>>>> Argus fixes some direction issues with ARP transactions, and the clients
>>>>>> fix a number of issues with filters, radium management records, and
>>>>>> adds xz decompression for argus data files. Many changes to manpages,
>>>>>> and there should be new scripts for updating IANA RIR data fetching,
>>>>>> to maintain the delegated ip address tables. There is improvement in
>>>>>> GeoIP database use, with some extensions added based on changes in
>>>>>> the API. The code is in the standard places:
>>>>>>
>>>>>> http://qosient.com/argus/dev/argus-latest.tar.gz
>>>>>> http://qosient.com/argus/dev/argus-clients-latest.tar.gz
>>>>>>
>>>>>> Please give these a run, and if there are any problems, get those
>>>>>> complaints in there, so we can release 3.0.8 by the end of the year.
>>>>>>
>>>>>> Hope all is most excellent,
>>>>>>
>>>>>> Carter
>>>
>>> --
>>> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
>>> Christopher Wakelin, c.d.wakelin at reading.ac.uk
>>> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
>>> Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
>>>
>
>
Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20131126/7b7174da/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20131126/7b7174da/attachment.bin>
More information about the argus
mailing list