Filter type 'appbytes' behavior unexpected
John Gerth
gerth at graphics.stanford.edu
Mon Oct 7 02:43:54 EDT 2013
I believe this is the correct behavior.
The way to think about this is that the field names used in "-s " specifications
do not have the same meaning as the field names in the pcap-like filters.
In filter fields, they follow the tcpdump convention where an unqualified name means "either".
For example, "host fred" means "src host fred or dst host fred".
In "-s " specifications, qualified names are single tokens as in sappbytes and dappbytes.
and an unqualified name like appbytes for a count field means "aggregate"
I have tripped over this myself in the past and casually imagined various extensions, but
the design is not obvious and implementation could be tricky so one would want
to be careful.
/J
On 10/6/13 8:16 PM, Jesse Bowling wrote:
> Hello,
>
> I noticed while looking at some data that using the filter type
> 'appbytes' appears to filter on either sappbytes or dappbytes, but not
> on appbytes, which is unexpected to me. From the man page:
>
> [src | dst] appbytes [gt | gte | lt | lte | eq] number
> True if the application byte count in the Argus record
> (default) equals number.
>
> For instance, I would expect this invocation:
>
> ra -r test.argus -s sappbytes dappbytes appbytes - appbytes eq 2760
>
> To display output for only flows whose total application bytes
> (appbytes) equals 2760. Instead the behavior I see is that I get flows
> which have 2760 bytes in either sappbytes or dappbytes.
>
> SAppBytes DAppBytes TotAppByte
> 151 2760 2911
> 169 2760 2929
> 2760 151 2911
> 151 2760 2911
>
> I can see the utility of this behavior, but based on the documentation I
> would not expect this result. I'm seeing the same results from 3.0.7.9
> -> 3.0.7.15.
>
> Is the current behavior the 'correct' behavior or a bug?
>
> Thanks,
>
> Jesse
>
More information about the argus
mailing list