Argus-info Digest, Vol 105, Issue 1

CS Lee geek00l at gmail.com
Thu May 1 02:19:20 EDT 2014


hi John,

Thank you, just have to clear this out so that there's no misunderstanding
and avoid people thinking it is broken in that case.

The gt/lt/gte/lte works great then.



On Thu, May 1, 2014 at 12:36 PM, <argus-info-request at lists.andrew.cmu.edu>wrote:

> Send Argus-info mailing list submissions to
>         argus-info at lists.andrew.cmu.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
> or, via email, send a message with subject or body 'help' to
>         argus-info-request at lists.andrew.cmu.edu
>
> You can reach the person managing the list at
>         argus-info-owner at lists.andrew.cmu.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Argus-info digest..."
>
>
> Today's Topics:
>
>    1. Re:  argus-clients 3.0.7.25 - floating point in filters
>       (John Gerth)
>    2. Re:  argus ppp teredo (Carter Bullard)
>    3. Re:  argus ppp teredo (Carter Bullard)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 30 Apr 2014 20:22:18 -0700
> From: John Gerth <gerth at graphics.stanford.edu>
> Subject: Re: [ARGUS] argus-clients 3.0.7.25 - floating point in
>         filters
> To: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID: <5361BDEA.7020605 at graphics.stanford.edu>
> Content-Type: text/plain; charset=UTF-8
>
> Exact comparison of floating point values is an extremely tricky business.
> Remember that even though the pcr below might print as " -0.573333 ", the
> print values are rounded by default to 6 significant figures.  Also, IEEE
> binary floating point values have to be converted to decimal for printing
> so some bit patterns might not be exactly represented.
>
> When filtering on floating point, it's advisable to use a range, e.g
>
>    ra .... - pcr gt -0.58 and pcr lt -0.57
>
>
> John Gerth
>
> On 4/30/14 7:49 PM, CS Lee wrote:
> > hi Carter,
> >
> > I grabbed the latest argus clients and still have problem with the
> filter, for example
> >
> > ra -nr ssh-normal.arg3 -s saddr daddr pcr
> >            SrcAddr            DstAddr    PCRatio
> >      192.168.221.1    192.168.221.128  -0.320590
> >      192.168.221.1    192.168.221.128  -1.000000
> >      192.168.221.1    192.168.221.128  -0.758157
> >      192.168.221.1    192.168.221.128  -0.973510
> >      192.168.221.1    192.168.221.128  -0.771429
> >      192.168.221.1    192.168.221.128  -0.901993
> >      192.168.221.1    192.168.221.128  -0.261261
> >      192.168.221.1    192.168.221.128  -0.137255
> >      192.168.221.1    192.168.221.128  -0.411765
> >      192.168.221.1    192.168.221.128  -0.088608
> >      192.168.221.1    192.168.221.128   0.000000
> >      192.168.221.1    192.168.221.128   0.000000
> >      192.168.221.1    192.168.221.128  -0.024390
> >      192.168.221.1    192.168.221.128  -0.032258
> >      192.168.221.1    192.168.221.128  -0.573333
> >      192.168.221.1    192.168.221.128  -0.087719
> >
> > Looks good if I just use the filter to match rounded value -
> > ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq 0'
> >            SrcAddr            DstAddr    PCRatio
> >      192.168.221.1    192.168.221.128   0.000000
> >      192.168.221.1    192.168.221.128   0.000000
> >
> > ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -1'
> >            SrcAddr            DstAddr    PCRatio
> >      192.168.221.1    192.168.221.128  -1.000000
> >
> > For floating value, it seems not working -
> >
> > ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -0.573333'
> > No output
> >
> > ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -0.024390'
> > No output
> >
> > --
> > Best Regards,
> >
> > CS Lee<geek00L[at]gmail.com <http://gmail.com>>
> >
> > http://geek00l.blogspot.com
> > http://defcraft.net
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 1 May 2014 00:29:23 -0400
> From: Carter Bullard <carter at qosient.com>
> Subject: Re: [ARGUS] argus ppp teredo
> To: CS Lee <geek00l at gmail.com>
> Cc: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID: <6FA8DB0B-905D-4FF9-9DD4-C74E486EC58D at qosient.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Hey CS Lee,
> But these flows aren't teredo, or they would be ipv6 flows.
> Carter
>
> On Apr 30, 2014, at 10:40 PM, CS Lee <geek00l at gmail.com> wrote:
>
> > hi Carter,
> >
> > This is what I get from senc and denc, same thing -
> >
> >           SrcAddr            DstAddr         sEnc         dEnc
> >      94.197.69.162        83.170.6.76            p            p
> >        83.170.6.77      94.197.69.162            p            p
> >      94.197.69.162        83.170.6.76            p            p
> >      94.197.69.162        83.170.6.76            p            p
> >      94.197.69.162        83.170.6.76            p            p
> >      94.197.69.162        83.170.6.76            p            p
> >
> > That means the underlying teredo tunnel is not revealed by looking at
> the flow here unless examining the user data like I did in previous mail.
> >
> >
> >
> >
> > On Thu, May 1, 2014 at 10:31 AM, Carter Bullard <carter at qosient.com>
> wrote:
> > Hey CS Lee,
> > The flgs field overwrites values sometimes...you want to print the senc
> and denc fields to print all the encaps.
> >
> >    ra -s +senc +denc
> >
> > Carter
> >
> > > On Apr 30, 2014, at 10:26 PM, CS Lee <geek00l at gmail.com> wrote:
> > >
> > > 83
> >
> >
> >
> > --
> > Best Regards,
> >
> > CS Lee<geek00L[at]gmail.com>
> >
> > http://geek00l.blogspot.com
> > http://defcraft.net
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140501/f5fc0fe6/attachment-0001.html
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 6837 bytes
> Desc: not available
> Url :
> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140501/f5fc0fe6/attachment-0001.bin
>
> ------------------------------
>
> Message: 3
> Date: Thu, 1 May 2014 00:35:59 -0400
> From: Carter Bullard <carter at qosient.com>
> Subject: Re: [ARGUS] argus ppp teredo
> To: CS Lee <geek00l at gmail.com>
> Cc: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID: <9F046B42-5F49-44AF-8CF2-ACB0C75E5C6F at qosient.com>
> Content-Type: text/plain; charset="us-ascii"
>
> The patch I sent gets you past the ppp header parsing issues,
> but doesn't enable full teredo processing for ppp.  This should
> be in argus-3.0.7.6 which I'll have up tomorrow ...
>
> Carter
>
> On May 1, 2014, at 12:29 AM, Carter Bullard <carter at qosient.com> wrote:
>
> > Hey CS Lee,
> > But these flows aren't teredo, or they would be ipv6 flows.
> > Carter
> >
> > On Apr 30, 2014, at 10:40 PM, CS Lee <geek00l at gmail.com> wrote:
> >
> >> hi Carter,
> >>
> >> This is what I get from senc and denc, same thing -
> >>
> >>           SrcAddr            DstAddr         sEnc         dEnc
> >>      94.197.69.162        83.170.6.76            p            p
> >>        83.170.6.77      94.197.69.162            p            p
> >>      94.197.69.162        83.170.6.76            p            p
> >>      94.197.69.162        83.170.6.76            p            p
> >>      94.197.69.162        83.170.6.76            p            p
> >>      94.197.69.162        83.170.6.76            p            p
> >>
> >> That means the underlying teredo tunnel is not revealed by looking at
> the flow here unless examining the user data like I did in previous mail.
> >>
> >>
> >>
> >>
> >> On Thu, May 1, 2014 at 10:31 AM, Carter Bullard <carter at qosient.com>
> wrote:
> >> Hey CS Lee,
> >> The flgs field overwrites values sometimes...you want to print the senc
> and denc fields to print all the encaps.
> >>
> >>    ra -s +senc +denc
> >>
> >> Carter
> >>
> >> > On Apr 30, 2014, at 10:26 PM, CS Lee <geek00l at gmail.com> wrote:
> >> >
> >> > 83
> >>
> >>
> >>
> >> --
> >> Best Regards,
> >>
> >> CS Lee<geek00L[at]gmail.com>
> >>
> >> http://geek00l.blogspot.com
> >> http://defcraft.net
> >
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140501/dd055c5b/attachment.html
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 6837 bytes
> Desc: not available
> Url :
> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140501/dd055c5b/attachment.bin
>
> ------------------------------
>
> _______________________________________________
> Argus-info mailing list
> Argus-info at lists.andrew.cmu.edu
> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>
>
> End of Argus-info Digest, Vol 105, Issue 1
> ******************************************
>



-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140501/c86ab9ed/attachment.html>


More information about the argus mailing list