4-byte ASN numbers being expressed as floating point numbers by ralabel

Carter Bullard carter at qosient.com
Fri Jun 27 12:54:47 EDT 2014 

Carter, 
I’ll make the change now.  And I’ll add an option to the configuration to specify
the AS Number format.

Carter

On Jun 27, 2014, at 12:45 PM, Kevin Branch <kevin at branchnetconsulting.com> wrote:

> Personally I'd vote for asplain all around.  I've helped a couple of clients get BGP multi-homed in the last few years, and done a bit of BGP and ASN level diagnostic work, but until today I'd never even seen an ASN referred to in asdot+ format, nor did I know that such a format existed.  A plain old integer would be easiest for me to correlate with the other places I plug in and read about ASNs.  I wonder why they ever came up with such an exotic way to represent a 4-byte number.  I'd suggest either defaulting to asplain or making in an option somehow.  Thanks, Carter!
> 
> 
> On Fri, Jun 27, 2014 at 12:29 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Kevin,
> OK.  sorry I had to research a bit.  For 4-byte ASNs, we’re printing out “ asdot “ format,
> and “ asplain “ for 16-bit values by default.  These are defined in RFC 5396.  I’ve included
> the definition below.
> 
> Probably should print either “ asdot+ “ or “ asplain “ for all ASNs.  Do you have an opinion ???
> 
> 2.  Taxonomy of Representation Formats
> 
> 
>    A taxonomy of representation for AS numbers is as follows:
> 
>    asplain
>       refers to a syntax scheme of representing all AS numbers using
>       decimal integer notation.  Using asplain notation, an AS number of
>       value 65526 would be represented as the string "65526" and an AS
>       number of value 65546 would be represented as the string "65546".
> 
>    asdot+
>       refers to a syntax scheme of representing all AS numbers using a
>       notation of two integer values joined by a period character: <high
>       order 16-bit value in decimal>.<low order 16-bit value in
>       decimal>.  Using asdot+ notation, an AS number of value 65526
>       would be represented as the string "0.65526" and an AS number of
>       value 65546 would be represented as the string "1.10".
> 
>    asdot
>       refers to a syntax scheme of representing AS number values less
>       than 65536 using asplain notation and representing AS number
>       values equal to or greater than 65536 using asdot+ notation.
>       Using asdot notation, an AS number of value 65526 would be
>       represented as the string "65526" and an AS number of value 65546
>       would be represented as the string "1.10".
> 
> 
> Carter
> 
> 
> On Jun 26, 2014, at 9:43 PM, The Branches <branchbunch at gmail.com> wrote:
> 
>> Carter,
>> 
>> I downloaded and built argus-3.0.8.rc.5 and argus-clients-3.0.8.rc.1 (--with-GeoIP=yes) on an Ubuntu 12.04 box today.  Thanks to your helpful documentation, I was able for the first time to get ralabel to mark records with source and dest asn.  It is overall doing a beautiful job, but I noticed in my results a few records with funky asn numbers being reported by ralabel, in floating point decimal format for some reason.  It appears to be happening only with 6-digit ASNs (or more likely 4-byte ASNs).
>> 
>> Here is my  /etc/ralabel.conf:
>> RALABEL_GEOIP_ASN=yes
>> RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
>> 
>> Here I have a single-record argus data file containing an IP in such an ASN
>> 
>> root at nids:~# ra -r test.arg
>>         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State
>> 06/25/14.00:00:00  e           tcp      110.77.193.19.62694     ->     183.95.147.129.https        35      26462   FIN
>> 
>> And here I run ralabel against it
>> 
>> root at nids:~# ralabel -f /etc/ralabel.conf -r test.arg -s sas:10 sco saddr
>>       sAS sCo            SrcAddr
>>                                0
>>      2.18  TH      110.77.193.19
>> 
>> No idea what the line with the lonely "0" is about, but 2.18 sure looks like a funny ASN.   Do I need to provide some special format string to get this to output right or have I flushed out a bug?
>> 
>> I love being able to aggregate on ASN now.    Thanks for this wonderful program.  It's been one of my favorite tools in my networking toolbox for years and it just keeps getting better...
>> 
>> Kevin
>> 
>> 
>> 
>> 
>> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140627/bf905dd6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140627/bf905dd6/attachment.bin>

More information about the argus mailing list