4-byte ASN numbers being expressed as floating point numbers by ralabel
The Branches
branchbunch at gmail.com
Thu Jun 26 21:43:45 EDT 2014
Carter,
I downloaded and built argus-3.0.8.rc.5 and argus-clients-3.0.8.rc.1
(--with-GeoIP=yes) on an Ubuntu 12.04 box today. Thanks to your helpful
documentation, I was able for the first time to get ralabel to mark
records with source and dest asn. It is overall doing a beautiful job,
but I noticed in my results a few records with funky asn numbers being
reported by ralabel, in floating point decimal format for some reason.
It appears to be happening only with 6-digit ASNs (or more likely 4-byte
ASNs).
Here is my /etc/ralabel.conf:
RALABEL_GEOIP_ASN=yes
RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
Here I have a single-record argus data file containing an IP in such an ASN
root at nids:~# ra -r test.arg
StartTime Flgs Proto SrcAddr Sport
Dir DstAddr Dport TotPkts TotBytes State
06/25/14.00:00:00 e tcp 110.77.193.19.62694 ->
183.95.147.129.https 35 26462 FIN
And here I run ralabel against it
root at nids:~# ralabel -f /etc/ralabel.conf -r test.arg -s sas:10 sco saddr
sAS sCo SrcAddr
0
2.18 TH 110.77.193.19
No idea what the line with the lonely "0" is about, but 2.18 sure looks
like a funny ASN. Do I need to provide some special format string to
get this to output right or have I flushed out a bug?
I love being able to aggregate on ASN now. Thanks for this wonderful
program. It's been one of my favorite tools in my networking toolbox
for years and it just keeps getting better...
Kevin
More information about the argus
mailing list