Argus-info Digest, Vol 105, Issue 1
CS Lee
geek00l at gmail.com
Thu May 1 09:00:27 EDT 2014
hi Carter, John,
Thank you, great explanation and good read for me.
On Thu, May 1, 2014 at 8:45 PM, Carter Bullard <carter at qosient.com> wrote:
> John is completely correct. We are currently converting the string that
> you provide in the fliter to a binary float, and then doing numeric
> comparisons with the floats in the record. Hard to get equivalence.
>
> Here is an article that talks to the issues:
>
>
> http://www.cygnus-software.com/papers/comparingfloats/comparingfloats.htm
>
> I've implemented routines to do the comparisons, as we have to deal with
> -0.0,
> and will try to implement a comparison that should work better.
>
> Carter
>
>
>
> On May 1, 2014, at 2:19 AM, CS Lee <geek00l at gmail.com> wrote:
>
> hi John,
>
> Thank you, just have to clear this out so that there's no misunderstanding
> and avoid people thinking it is broken in that case.
>
> The gt/lt/gte/lte works great then.
>
>
>
> On Thu, May 1, 2014 at 12:36 PM, <argus-info-request at lists.andrew.cmu.edu>wrote:
>
>> Send Argus-info mailing list submissions to
>> argus-info at lists.andrew.cmu.edu
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>> or, via email, send a message with subject or body 'help' to
>> argus-info-request at lists.andrew.cmu.edu
>>
>> You can reach the person managing the list at
>> argus-info-owner at lists.andrew.cmu.edu
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Argus-info digest..."
>>
>>
>> Today's Topics:
>>
>> 1. Re: argus-clients 3.0.7.25 - floating point in filters
>> (John Gerth)
>> 2. Re: argus ppp teredo (Carter Bullard)
>> 3. Re: argus ppp teredo (Carter Bullard)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Wed, 30 Apr 2014 20:22:18 -0700
>> From: John Gerth <gerth at graphics.stanford.edu>
>> Subject: Re: [ARGUS] argus-clients 3.0.7.25 - floating point in
>> filters
>> To: Argus <argus-info at lists.andrew.cmu.edu>
>> Message-ID: <5361BDEA.7020605 at graphics.stanford.edu>
>> Content-Type: text/plain; charset=UTF-8
>>
>> Exact comparison of floating point values is an extremely tricky business.
>> Remember that even though the pcr below might print as " -0.573333 ", the
>> print values are rounded by default to 6 significant figures. Also, IEEE
>> binary floating point values have to be converted to decimal for printing
>> so some bit patterns might not be exactly represented.
>>
>> When filtering on floating point, it's advisable to use a range, e.g
>>
>> ra .... - pcr gt -0.58 and pcr lt -0.57
>>
>>
>> John Gerth
>>
>> On 4/30/14 7:49 PM, CS Lee wrote:
>> > hi Carter,
>> >
>> > I grabbed the latest argus clients and still have problem with the
>> filter, for example
>> >
>> > ra -nr ssh-normal.arg3 -s saddr daddr pcr
>> > SrcAddr DstAddr PCRatio
>> > 192.168.221.1 192.168.221.128 -0.320590
>> > 192.168.221.1 192.168.221.128 -1.000000
>> > 192.168.221.1 192.168.221.128 -0.758157
>> > 192.168.221.1 192.168.221.128 -0.973510
>> > 192.168.221.1 192.168.221.128 -0.771429
>> > 192.168.221.1 192.168.221.128 -0.901993
>> > 192.168.221.1 192.168.221.128 -0.261261
>> > 192.168.221.1 192.168.221.128 -0.137255
>> > 192.168.221.1 192.168.221.128 -0.411765
>> > 192.168.221.1 192.168.221.128 -0.088608
>> > 192.168.221.1 192.168.221.128 0.000000
>> > 192.168.221.1 192.168.221.128 0.000000
>> > 192.168.221.1 192.168.221.128 -0.024390
>> > 192.168.221.1 192.168.221.128 -0.032258
>> > 192.168.221.1 192.168.221.128 -0.573333
>> > 192.168.221.1 192.168.221.128 -0.087719
>> >
>> > Looks good if I just use the filter to match rounded value -
>> > ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq 0'
>> > SrcAddr DstAddr PCRatio
>> > 192.168.221.1 192.168.221.128 0.000000
>> > 192.168.221.1 192.168.221.128 0.000000
>> >
>> > ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -1'
>> > SrcAddr DstAddr PCRatio
>> > 192.168.221.1 192.168.221.128 -1.000000
>> >
>> > For floating value, it seems not working -
>> >
>> > ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -0.573333'
>> > No output
>> >
>> > ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -0.024390'
>> > No output
>> >
>> > --
>> > Best Regards,
>> >
>> > CS Lee<geek00L[at]gmail.com <http://gmail.com>>
>> >
>> > http://geek00l.blogspot.com
>> > http://defcraft.net
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Thu, 1 May 2014 00:29:23 -0400
>> From: Carter Bullard <carter at qosient.com>
>> Subject: Re: [ARGUS] argus ppp teredo
>> To: CS Lee <geek00l at gmail.com>
>> Cc: Argus <argus-info at lists.andrew.cmu.edu>
>> Message-ID: <6FA8DB0B-905D-4FF9-9DD4-C74E486EC58D at qosient.com>
>> Content-Type: text/plain; charset="us-ascii"
>>
>> Hey CS Lee,
>> But these flows aren't teredo, or they would be ipv6 flows.
>> Carter
>>
>> On Apr 30, 2014, at 10:40 PM, CS Lee <geek00l at gmail.com> wrote:
>>
>> > hi Carter,
>> >
>> > This is what I get from senc and denc, same thing -
>> >
>> > SrcAddr DstAddr sEnc dEnc
>> > 94.197.69.162 83.170.6.76 p p
>> > 83.170.6.77 94.197.69.162 p p
>> > 94.197.69.162 83.170.6.76 p p
>> > 94.197.69.162 83.170.6.76 p p
>> > 94.197.69.162 83.170.6.76 p p
>> > 94.197.69.162 83.170.6.76 p p
>> >
>> > That means the underlying teredo tunnel is not revealed by looking at
>> the flow here unless examining the user data like I did in previous mail.
>> >
>> >
>> >
>> >
>> > On Thu, May 1, 2014 at 10:31 AM, Carter Bullard <carter at qosient.com>
>> wrote:
>> > Hey CS Lee,
>> > The flgs field overwrites values sometimes...you want to print the senc
>> and denc fields to print all the encaps.
>> >
>> > ra -s +senc +denc
>> >
>> > Carter
>> >
>> > > On Apr 30, 2014, at 10:26 PM, CS Lee <geek00l at gmail.com> wrote:
>> > >
>> > > 83
>> >
>> >
>> >
>> > --
>> > Best Regards,
>> >
>> > CS Lee<geek00L[at]gmail.com>
>> >
>> > http://geek00l.blogspot.com
>> > http://defcraft.net
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140501/f5fc0fe6/attachment-0001.html
>> -------------- next part --------------
>> A non-text attachment was scrubbed...
>> Name: smime.p7s
>> Type: application/pkcs7-signature
>> Size: 6837 bytes
>> Desc: not available
>> Url :
>> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140501/f5fc0fe6/attachment-0001.bin
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Thu, 1 May 2014 00:35:59 -0400
>> From: Carter Bullard <carter at qosient.com>
>> Subject: Re: [ARGUS] argus ppp teredo
>> To: CS Lee <geek00l at gmail.com>
>> Cc: Argus <argus-info at lists.andrew.cmu.edu>
>> Message-ID: <9F046B42-5F49-44AF-8CF2-ACB0C75E5C6F at qosient.com>
>> Content-Type: text/plain; charset="us-ascii"
>>
>> The patch I sent gets you past the ppp header parsing issues,
>> but doesn't enable full teredo processing for ppp. This should
>> be in argus-3.0.7.6 which I'll have up tomorrow ...
>>
>> Carter
>>
>> On May 1, 2014, at 12:29 AM, Carter Bullard <carter at qosient.com> wrote:
>>
>> > Hey CS Lee,
>> > But these flows aren't teredo, or they would be ipv6 flows.
>> > Carter
>> >
>> > On Apr 30, 2014, at 10:40 PM, CS Lee <geek00l at gmail.com> wrote:
>> >
>> >> hi Carter,
>> >>
>> >> This is what I get from senc and denc, same thing -
>> >>
>> >> SrcAddr DstAddr sEnc dEnc
>> >> 94.197.69.162 83.170.6.76 p p
>> >> 83.170.6.77 94.197.69.162 p p
>> >> 94.197.69.162 83.170.6.76 p p
>> >> 94.197.69.162 83.170.6.76 p p
>> >> 94.197.69.162 83.170.6.76 p p
>> >> 94.197.69.162 83.170.6.76 p p
>> >>
>> >> That means the underlying teredo tunnel is not revealed by looking at
>> the flow here unless examining the user data like I did in previous mail.
>> >>
>> >>
>> >>
>> >>
>> >> On Thu, May 1, 2014 at 10:31 AM, Carter Bullard <carter at qosient.com>
>> wrote:
>> >> Hey CS Lee,
>> >> The flgs field overwrites values sometimes...you want to print the
>> senc and denc fields to print all the encaps.
>> >>
>> >> ra -s +senc +denc
>> >>
>> >> Carter
>> >>
>> >> > On Apr 30, 2014, at 10:26 PM, CS Lee <geek00l at gmail.com> wrote:
>> >> >
>> >> > 83
>> >>
>> >>
>> >>
>> >> --
>> >> Best Regards,
>> >>
>> >> CS Lee<geek00L[at]gmail.com>
>> >>
>> >> http://geek00l.blogspot.com
>> >> http://defcraft.net
>> >
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140501/dd055c5b/attachment.html
>> -------------- next part --------------
>> A non-text attachment was scrubbed...
>> Name: smime.p7s
>> Type: application/pkcs7-signature
>> Size: 6837 bytes
>> Desc: not available
>> Url :
>> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140501/dd055c5b/attachment.bin
>>
>> ------------------------------
>>
>> _______________________________________________
>> Argus-info mailing list
>> Argus-info at lists.andrew.cmu.edu
>> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>>
>>
>> End of Argus-info Digest, Vol 105, Issue 1
>> ******************************************
>>
>
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
>
>
--
Best Regards,
CS Lee<geek00L[at]gmail.com>
http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140501/74d1f0c0/attachment.html>
More information about the argus
mailing list