4-byte ASN numbers being expressed as floating point numbers by ralabel

The Branches branchbunch at gmail.com
Fri Jun 27 07:32:26 EDT 2014 

Hi Carter,

That does not appear to make any difference:
     root at nids:~# ra -s sas:6:%d -r test2.arg
        sAS
       2.18

Varying the format string also appears to have no impact.

Kevin


On 6/26/2014 10:20 PM, Carter Bullard wrote:
> Hey Kevin,
> We have implemented print formats for some fields, and it maybe that the bug is in that logic, its described in the ra man page.  Try printing the asn's with the  explicit format %d.  I'm not near the code so forgive my memory if this is not right, but try:
>
>     ra -s +sas:6:%d
>
> see if that changes anything.
>
> Carter
>
>> On Jun 26, 2014, at 9:43 PM, The Branches<branchbunch at gmail.com>  wrote:
>>
>> Carter,
>>
>> I downloaded and built argus-3.0.8.rc.5 and argus-clients-3.0.8.rc.1 (--with-GeoIP=yes) on an Ubuntu 12.04 box today.  Thanks to your helpful documentation, I was able for the first time to get ralabel to mark records with source and dest asn.  It is overall doing a beautiful job, but I noticed in my results a few records with funky asn numbers being reported by ralabel, in floating point decimal format for some reason.  It appears to be happening only with 6-digit ASNs (or more likely 4-byte ASNs).
>>
>> Here is my  /etc/ralabel.conf:
>> RALABEL_GEOIP_ASN=yes
>> RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
>>
>> Here I have a single-record argus data file containing an IP in such an ASN
>>
>> root at nids:~# ra -r test.arg
>>          StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State
>> 06/25/14.00:00:00  e           tcp      110.77.193.19.62694     ->      183.95.147.129.https        35      26462   FIN
>>
>> And here I run ralabel against it
>>
>> root at nids:~# ralabel -f /etc/ralabel.conf -r test.arg -s sas:10 sco saddr
>>        sAS sCo            SrcAddr
>>                                 0
>>       2.18  TH      110.77.193.19
>>
>> No idea what the line with the lonely "0" is about, but 2.18 sure looks like a funny ASN.   Do I need to provide some special format string to get this to output right or have I flushed out a bug?
>>
>> I love being able to aggregate on ASN now.    Thanks for this wonderful program.  It's been one of my favorite tools in my networking toolbox for years and it just keeps getting better...
>>
>> Kevin
>>
>>
>>
>>
>>

More information about the argus mailing list