Argus-info Digest, Vol 105, Issue 1

Carter Bullard carter at qosient.com
Thu May 1 16:35:00 EDT 2014


Hey CS Lee,
Since you started this, I'll bother you with the developers notes ;O)

So for our floating point equivalence test, I'm going to test the sign and integer parts noramlly, and for the fractional part, I'm going to round (normalize) the value to our precision specification (which is set to 6 digits by default) + 1, and adjust the floating adjustment error to cover the precision.  don't want to get into a rounding problem here.

So we'll basically round to the precision but deal with the round down error problem, when we have to ...
Carter

> On May 1, 2014, at 9:00 AM, CS Lee <geek00l at gmail.com> wrote:
> 
> hi Carter, John,
> 
> Thank you, great explanation and good read for me.
> 
> 
>> On Thu, May 1, 2014 at 8:45 PM, Carter Bullard <carter at qosient.com> wrote:
>> John is completely correct.  We are currently converting the string that you provide in the fliter to a binary float, and then doing numeric comparisons with the floats in the record.  Hard to get equivalence.
>> 
>> Here is an article that talks to the issues:
>> 
>>    http://www.cygnus-software.com/papers/comparingfloats/comparingfloats.htm
>> 
>> I've implemented routines to do the comparisons, as we have to deal with -0.0,
>> and will try to implement a comparison that should work better.
>> 
>> Carter
>> 
>> 
>> 
>>> On May 1, 2014, at 2:19 AM, CS Lee <geek00l at gmail.com> wrote:
>>> 
>>> hi John,
>>> 
>>> Thank you, just have to clear this out so that there's no misunderstanding and avoid people thinking it is broken in that case.
>>> 
>>> The gt/lt/gte/lte works great then.
>>> 
>>> 
>>> 
>>>> On Thu, May 1, 2014 at 12:36 PM, <argus-info-request at lists.andrew.cmu.edu> wrote:
>>>> Send Argus-info mailing list submissions to
>>>>         argus-info at lists.andrew.cmu.edu
>>>> 
>>>> To subscribe or unsubscribe via the World Wide Web, visit
>>>>         https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>>>> or, via email, send a message with subject or body 'help' to
>>>>         argus-info-request at lists.andrew.cmu.edu
>>>> 
>>>> You can reach the person managing the list at
>>>>         argus-info-owner at lists.andrew.cmu.edu
>>>> 
>>>> When replying, please edit your Subject line so it is more specific
>>>> than "Re: Contents of Argus-info digest..."
>>>> 
>>>> 
>>>> Today's Topics:
>>>> 
>>>>    1. Re:  argus-clients 3.0.7.25 - floating point in filters
>>>>       (John Gerth)
>>>>    2. Re:  argus ppp teredo (Carter Bullard)
>>>>    3. Re:  argus ppp teredo (Carter Bullard)
>>>> 
>>>> 
>>>> ----------------------------------------------------------------------
>>>> 
>>>> Message: 1
>>>> Date: Wed, 30 Apr 2014 20:22:18 -0700
>>>> From: John Gerth <gerth at graphics.stanford.edu>
>>>> Subject: Re: [ARGUS] argus-clients 3.0.7.25 - floating point in
>>>>         filters
>>>> To: Argus <argus-info at lists.andrew.cmu.edu>
>>>> Message-ID: <5361BDEA.7020605 at graphics.stanford.edu>
>>>> Content-Type: text/plain; charset=UTF-8
>>>> 
>>>> Exact comparison of floating point values is an extremely tricky business.
>>>> Remember that even though the pcr below might print as " -0.573333 ", the
>>>> print values are rounded by default to 6 significant figures.  Also, IEEE
>>>> binary floating point values have to be converted to decimal for printing
>>>> so some bit patterns might not be exactly represented.
>>>> 
>>>> When filtering on floating point, it's advisable to use a range, e.g
>>>> 
>>>>    ra .... - pcr gt -0.58 and pcr lt -0.57
>>>> 
>>>> 
>>>> John Gerth
>>>> 
>>>> On 4/30/14 7:49 PM, CS Lee wrote:
>>>> > hi Carter,
>>>> >
>>>> > I grabbed the latest argus clients and still have problem with the filter, for example
>>>> >
>>>> > ra -nr ssh-normal.arg3 -s saddr daddr pcr
>>>> >            SrcAddr            DstAddr    PCRatio
>>>> >      192.168.221.1    192.168.221.128  -0.320590
>>>> >      192.168.221.1    192.168.221.128  -1.000000
>>>> >      192.168.221.1    192.168.221.128  -0.758157
>>>> >      192.168.221.1    192.168.221.128  -0.973510
>>>> >      192.168.221.1    192.168.221.128  -0.771429
>>>> >      192.168.221.1    192.168.221.128  -0.901993
>>>> >      192.168.221.1    192.168.221.128  -0.261261
>>>> >      192.168.221.1    192.168.221.128  -0.137255
>>>> >      192.168.221.1    192.168.221.128  -0.411765
>>>> >      192.168.221.1    192.168.221.128  -0.088608
>>>> >      192.168.221.1    192.168.221.128   0.000000
>>>> >      192.168.221.1    192.168.221.128   0.000000
>>>> >      192.168.221.1    192.168.221.128  -0.024390
>>>> >      192.168.221.1    192.168.221.128  -0.032258
>>>> >      192.168.221.1    192.168.221.128  -0.573333
>>>> >      192.168.221.1    192.168.221.128  -0.087719
>>>> >
>>>> > Looks good if I just use the filter to match rounded value -
>>>> > ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq 0'
>>>> >            SrcAddr            DstAddr    PCRatio
>>>> >      192.168.221.1    192.168.221.128   0.000000
>>>> >      192.168.221.1    192.168.221.128   0.000000
>>>> >
>>>> > ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -1'
>>>> >            SrcAddr            DstAddr    PCRatio
>>>> >      192.168.221.1    192.168.221.128  -1.000000
>>>> >
>>>> > For floating value, it seems not working -
>>>> >
>>>> > ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -0.573333'
>>>> > No output
>>>> >
>>>> > ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -0.024390'
>>>> > No output
>>>> >
>>>> > --
>>>> > Best Regards,
>>>> >
>>>> > CS Lee<geek00L[at]gmail.com <http://gmail.com>>
>>>> >
>>>> > http://geek00l.blogspot.com
>>>> > http://defcraft.net
>>>> 
>>>> 
>>>> ------------------------------
>>>> 
>>>> Message: 2
>>>> Date: Thu, 1 May 2014 00:29:23 -0400
>>>> From: Carter Bullard <carter at qosient.com>
>>>> Subject: Re: [ARGUS] argus ppp teredo
>>>> To: CS Lee <geek00l at gmail.com>
>>>> Cc: Argus <argus-info at lists.andrew.cmu.edu>
>>>> Message-ID: <6FA8DB0B-905D-4FF9-9DD4-C74E486EC58D at qosient.com>
>>>> Content-Type: text/plain; charset="us-ascii"
>>>> 
>>>> Hey CS Lee,
>>>> But these flows aren't teredo, or they would be ipv6 flows.
>>>> Carter
>>>> 
>>>> On Apr 30, 2014, at 10:40 PM, CS Lee <geek00l at gmail.com> wrote:
>>>> 
>>>> > hi Carter,
>>>> >
>>>> > This is what I get from senc and denc, same thing -
>>>> >
>>>> >           SrcAddr            DstAddr         sEnc         dEnc
>>>> >      94.197.69.162        83.170.6.76            p            p
>>>> >        83.170.6.77      94.197.69.162            p            p
>>>> >      94.197.69.162        83.170.6.76            p            p
>>>> >      94.197.69.162        83.170.6.76            p            p
>>>> >      94.197.69.162        83.170.6.76            p            p
>>>> >      94.197.69.162        83.170.6.76            p            p
>>>> >
>>>> > That means the underlying teredo tunnel is not revealed by looking at the flow here unless examining the user data like I did in previous mail.
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > On Thu, May 1, 2014 at 10:31 AM, Carter Bullard <carter at qosient.com> wrote:
>>>> > Hey CS Lee,
>>>> > The flgs field overwrites values sometimes...you want to print the senc and denc fields to print all the encaps.
>>>> >
>>>> >    ra -s +senc +denc
>>>> >
>>>> > Carter
>>>> >
>>>> > > On Apr 30, 2014, at 10:26 PM, CS Lee <geek00l at gmail.com> wrote:
>>>> > >
>>>> > > 83
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Best Regards,
>>>> >
>>>> > CS Lee<geek00L[at]gmail.com>
>>>> >
>>>> > http://geek00l.blogspot.com
>>>> > http://defcraft.net
>>>> 
>>>> -------------- next part --------------
>>>> An HTML attachment was scrubbed...
>>>> URL: https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140501/f5fc0fe6/attachment-0001.html
>>>> -------------- next part --------------
>>>> A non-text attachment was scrubbed...
>>>> Name: smime.p7s
>>>> Type: application/pkcs7-signature
>>>> Size: 6837 bytes
>>>> Desc: not available
>>>> Url : https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140501/f5fc0fe6/attachment-0001.bin
>>>> 
>>>> ------------------------------
>>>> 
>>>> Message: 3
>>>> Date: Thu, 1 May 2014 00:35:59 -0400
>>>> From: Carter Bullard <carter at qosient.com>
>>>> Subject: Re: [ARGUS] argus ppp teredo
>>>> To: CS Lee <geek00l at gmail.com>
>>>> Cc: Argus <argus-info at lists.andrew.cmu.edu>
>>>> Message-ID: <9F046B42-5F49-44AF-8CF2-ACB0C75E5C6F at qosient.com>
>>>> Content-Type: text/plain; charset="us-ascii"
>>>> 
>>>> The patch I sent gets you past the ppp header parsing issues,
>>>> but doesn't enable full teredo processing for ppp.  This should
>>>> be in argus-3.0.7.6 which I'll have up tomorrow ...
>>>> 
>>>> Carter
>>>> 
>>>> On May 1, 2014, at 12:29 AM, Carter Bullard <carter at qosient.com> wrote:
>>>> 
>>>> > Hey CS Lee,
>>>> > But these flows aren't teredo, or they would be ipv6 flows.
>>>> > Carter
>>>> >
>>>> > On Apr 30, 2014, at 10:40 PM, CS Lee <geek00l at gmail.com> wrote:
>>>> >
>>>> >> hi Carter,
>>>> >>
>>>> >> This is what I get from senc and denc, same thing -
>>>> >>
>>>> >>           SrcAddr            DstAddr         sEnc         dEnc
>>>> >>      94.197.69.162        83.170.6.76            p            p
>>>> >>        83.170.6.77      94.197.69.162            p            p
>>>> >>      94.197.69.162        83.170.6.76            p            p
>>>> >>      94.197.69.162        83.170.6.76            p            p
>>>> >>      94.197.69.162        83.170.6.76            p            p
>>>> >>      94.197.69.162        83.170.6.76            p            p
>>>> >>
>>>> >> That means the underlying teredo tunnel is not revealed by looking at the flow here unless examining the user data like I did in previous mail.
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >> On Thu, May 1, 2014 at 10:31 AM, Carter Bullard <carter at qosient.com> wrote:
>>>> >> Hey CS Lee,
>>>> >> The flgs field overwrites values sometimes...you want to print the senc and denc fields to print all the encaps.
>>>> >>
>>>> >>    ra -s +senc +denc
>>>> >>
>>>> >> Carter
>>>> >>
>>>> >> > On Apr 30, 2014, at 10:26 PM, CS Lee <geek00l at gmail.com> wrote:
>>>> >> >
>>>> >> > 83
>>>> >>
>>>> >>
>>>> >>
>>>> >> --
>>>> >> Best Regards,
>>>> >>
>>>> >> CS Lee<geek00L[at]gmail.com>
>>>> >>
>>>> >> http://geek00l.blogspot.com
>>>> >> http://defcraft.net
>>>> >
>>>> 
>>>> -------------- next part --------------
>>>> An HTML attachment was scrubbed...
>>>> URL: https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140501/dd055c5b/attachment.html
>>>> -------------- next part --------------
>>>> A non-text attachment was scrubbed...
>>>> Name: smime.p7s
>>>> Type: application/pkcs7-signature
>>>> Size: 6837 bytes
>>>> Desc: not available
>>>> Url : https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140501/dd055c5b/attachment.bin
>>>> 
>>>> ------------------------------
>>>> 
>>>> _______________________________________________
>>>> Argus-info mailing list
>>>> Argus-info at lists.andrew.cmu.edu
>>>> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>>>> 
>>>> 
>>>> End of Argus-info Digest, Vol 105, Issue 1
>>>> ******************************************
>>> 
>>> 
>>> 
>>> -- 
>>> Best Regards,
>>> 
>>> CS Lee<geek00L[at]gmail.com>
>>> 
>>> http://geek00l.blogspot.com
>>> http://defcraft.net
> 
> 
> 
> -- 
> Best Regards,
> 
> CS Lee<geek00L[at]gmail.com>
> 
> http://geek00l.blogspot.com
> http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140501/bf75404b/attachment.html>


More information about the argus mailing list