pcr filtering
CS Lee
geek00l at gmail.com
Thu Apr 24 21:26:05 EDT 2014
hi Carter,
After applying the changes, here's what i get -
ra -nr ssh-normal.arg3 -s saddr daddr pcr
SrcAddr DstAddr PCRatio
192.168.221.1 192.168.221.128 -0.320590
192.168.221.1 192.168.221.128 -1.000000
192.168.221.1 192.168.221.128 -0.758157
192.168.221.1 192.168.221.128 -0.973510
192.168.221.1 192.168.221.128 -0.771429
192.168.221.1 192.168.221.128 -0.901993
192.168.221.1 192.168.221.128 -0.261261
192.168.221.1 192.168.221.128 -0.137255
192.168.221.1 192.168.221.128 -0.411765
192.168.221.1 192.168.221.128 -0.088608
192.168.221.1 192.168.221.128 0.000000
192.168.221.1 192.168.221.128 0.000000
192.168.221.1 192.168.221.128 -0.024390
192.168.221.1 192.168.221.128 -0.032258
192.168.221.1 192.168.221.128 -0.573333
192.168.221.1 192.168.221.128 -0.087719
ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq 0'
SrcAddr DstAddr PCRatio
192.168.221.1 192.168.221.128 0.000000
192.168.221.1 192.168.221.128 0.000000
ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -1'
ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -1.0'
SrcAddr DstAddr PCRatio
192.168.221.1 192.168.221.128 -1.000000
You can see it is not working properly, I can do pcr eq 1 and pcr eq 0
without problem, however for pcr eq -1 it doesn't work and on the other
hand pcr eq -1.0 works, so I run the -b to see why -
ra -b -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -1.0'
(000) ldb hdr[0]
(001) and #16
(002) jeq #0x10 jt 3 jf 6
(003) ldf hdr[216]
(004) jeq #-1.000000 jt 5 jf 6
(005) ret #150
(006) ret #0
ra -b -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -1'
(000) ldb hdr[0]
(001) and #16
(002) jeq #0x10 jt 3 jf 6
(003) ldf hdr[216]
(004) jeq #4294967296.000000 jt 5 jf 6
(005) ret #150
(006) ret #0
I have also tried to test if the eq works for other value like -0.573333
but fail.
On Fri, Apr 25, 2014 at 12:47 AM, Carter Bullard <carter at qosient.com> wrote:
> Hey CS Lee,
> Yep, here is the patch. We’re doing all this signbit() operations,
> as we have a number of metrics that need to test for -0.0.
>
> I’ll put up 3.0.7.25 later this week with this patch in.
>
>
> horus:common carter$ diff argus_filter.c.orig argus_filter.c
> 203c203
> < return ((F == f) ? ((F == 0) ? (signbit(F) == signbit(f)) : 0) : 0);
> ---
> > return ((F == f) ? ((F == 0) ? (signbit(F) == signbit(f)) : 1) : 0);
>
> If you could give this a run, that would be great !!!
>
> Carter
>
>
> On Apr 23, 2014, at 11:54 PM, CS Lee <geek00l at gmail.com> wrote:
>
> > hi Carter,
> >
> > The filter behaves in odd way, the "eq" is not working.
> >
> > ra -nr ssh-file-transfer.arg3 -s saddr daddr pcr
> > SrcAddr DstAddr PCRatio
> > 192.168.221.1 192.168.221.128 -0.319952
> > 192.168.221.1 192.168.221.128 -0.138358
> > 192.168.221.1 192.168.221.128 0.814701
> > 192.168.221.1 192.168.221.128 0.996873
> > 192.168.221.1 192.168.221.128 1.000000
> >
> > analyzt at nsmon:~/i-Pcaps$ ra -nr ssh-file-transfer.arg3 -s saddr daddr
> pcr - 'pcr lt 0.5'
> > SrcAddr DstAddr PCRatio
> > 192.168.221.1 192.168.221.128 -0.319952
> > 192.168.221.1 192.168.221.128 -0.138358
> >
> > analyzt at nsmon:~/i-Pcaps$ ra -nr ssh-file-transfer.arg3 -s saddr daddr
> pcr - 'pcr eq 1'
> >
> > ra -b -nr ssh-file-transfer.arg3 -s saddr daddr pcr - 'pcr eq 1'
> > (000) ldb hdr[0]
> > (001) and #16
> > (002) jeq #0x10 jt 3 jf 6
> > (003) ldf hdr[216]
> > (004) jeq #1.000000 jt 5 jf 6
> > (005) ret #150
> > (006) ret #0
> >
> > I have the record with pcr = 1 but it doesn't come out, I tried with
> other value as well and the result is the same. However the gte/lte/gt/lt
> seems to work.
> >
> >
> >
> > On Tue, Apr 22, 2014 at 11:32 PM, Carter Bullard <carter at qosient.com>
> wrote:
> > Hey CS Lee, et. al.
> >
> > A new argus-clients-3.0.7.24 is on the server. Available here:
> > http://qosient.com/argus/dev/argus-clients-latest.tar.gz
> >
> > Fixes all the filter issues with pcr, which also affected some
> > of other metadata filters, like rate, load, etc…
> > This also has a lot of man page additions.
> >
> > This version should be good for release. If you find anything
> > wrong, please holler !!!!
> >
> > Thanks !!!
> >
> > Carter
> >
> > On Apr 21, 2014, at 6:42 AM, Carter Bullard <carter at qosient.com> wrote:
> >
> >> Hey CS Lee,
> >> Yes, I have a fix in the 24 code, just haven't had a chance to push it
> up. My fault, should get something up, hopefully today/tonight !!!
> >>
> >> Carter
> >>
> >> On Apr 19, 2014, at 10:20 AM, CS Lee <geek00l at gmail.com> wrote:
> >>
> >>> hi Carter,
> >>>
> >>> I think I encountered same issue as jess regarding pcr filtering -
> >>>
> >>> ra -nr test.arg3 -s saddr daddr pcr - 'pcr lt 0.5'
> >>> SrcAddr DstAddr PCRatio
> >>> 192.168.221.1 192.168.221.128 -0.319952
> >>> 192.168.221.1 192.168.221.128 -0.138358
> >>> 192.168.221.1 192.168.221.128 0.814701
> >>> 192.168.221.1 192.168.221.128 0.996873
> >>> 192.168.221.1 192.168.221.128 1.000000
> >>>
> >>> ra -b -nr test.arg3 -s saddr daddr pcr - 'pcr lt 0.5'
> >>> (000) ldb hdr[0]
> >>> (001) and #16
> >>> (002) jeq #0x10 jt 3 jf 6
> >>> (003) ldf hdr[360]
> >>> (004) jge #0.500000 jt 6 jf 5
> >>> (005) ret #150
> >>> (006) ret #0
> >>>
> >>> Non-matching flow also shows up in the filter, by the way I'm using
> argus client 3.0.7.23 on ubuntu linux.
> >>>
> >>>
> >>> --
> >>> Best Regards,
> >>>
> >>> CS Lee<geek00L[at]gmail.com>
> >>>
> >>> http://geek00l.blogspot.com
> >>> http://defcraft.com.my
> >
> >
> >
> >
> > --
> > Best Regards,
> >
> > CS Lee<geek00L[at]gmail.com>
> >
> > http://geek00l.blogspot.com
> > http://defcraft.net
>
>
--
Best Regards,
CS Lee<geek00L[at]gmail.com>
http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140425/0ce77888/attachment.html>
More information about the argus
mailing list