argus-clients 3.0.7.25 - floating point in filters

John Gerth gerth at graphics.stanford.edu
Wed Apr 30 23:22:18 EDT 2014 

Exact comparison of floating point values is an extremely tricky business.
Remember that even though the pcr below might print as " -0.573333 ", the
print values are rounded by default to 6 significant figures.  Also, IEEE
binary floating point values have to be converted to decimal for printing
so some bit patterns might not be exactly represented.

When filtering on floating point, it's advisable to use a range, e.g

   ra .... - pcr gt -0.58 and pcr lt -0.57


John Gerth

On 4/30/14 7:49 PM, CS Lee wrote:
> hi Carter,
> 
> I grabbed the latest argus clients and still have problem with the filter, for example
> 
> ra -nr ssh-normal.arg3 -s saddr daddr pcr
>            SrcAddr            DstAddr    PCRatio
>      192.168.221.1    192.168.221.128  -0.320590
>      192.168.221.1    192.168.221.128  -1.000000
>      192.168.221.1    192.168.221.128  -0.758157
>      192.168.221.1    192.168.221.128  -0.973510
>      192.168.221.1    192.168.221.128  -0.771429
>      192.168.221.1    192.168.221.128  -0.901993
>      192.168.221.1    192.168.221.128  -0.261261
>      192.168.221.1    192.168.221.128  -0.137255
>      192.168.221.1    192.168.221.128  -0.411765
>      192.168.221.1    192.168.221.128  -0.088608
>      192.168.221.1    192.168.221.128   0.000000
>      192.168.221.1    192.168.221.128   0.000000
>      192.168.221.1    192.168.221.128  -0.024390
>      192.168.221.1    192.168.221.128  -0.032258
>      192.168.221.1    192.168.221.128  -0.573333
>      192.168.221.1    192.168.221.128  -0.087719
> 
> Looks good if I just use the filter to match rounded value -
> ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq 0'  
>            SrcAddr            DstAddr    PCRatio
>      192.168.221.1    192.168.221.128   0.000000
>      192.168.221.1    192.168.221.128   0.000000
> 
> ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -1'
>            SrcAddr            DstAddr    PCRatio
>      192.168.221.1    192.168.221.128  -1.000000
> 
> For floating value, it seems not working -
> 
> ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -0.573333'
> No output
> 
> ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -0.024390'
> No output
> 
> -- 
> Best Regards,
> 
> CS Lee<geek00L[at]gmail.com <http://gmail.com>>
> 
> http://geek00l.blogspot.com
> http://defcraft.net

More information about the argus mailing list