Argus-info Digest, Vol 105, Issue 1
CS Lee
geek00l at gmail.com
Sat May 3 09:38:34 EDT 2014
hi Carter,
I have downloaded latest argus client and performed the test, it works
brilliantly, the way you implemented the -p option is definitely neat for
matching precision.
I'm not sure about other shell, if you are running argus client on ubuntu,
or you need is using single quote for the filter, for example
ra -nr file.arg3 -s saddr daddr pcr - 'pcr eq -0.312345'
Thank you!
On Sat, May 3, 2014 at 10:50 AM, Carter Bullard <carter at qosient.com> wrote:
> Gentle people,
> So I uploaded argus-clients-3.0.7.26, which handles floating point
> equivalence tests that are sensitive to the argus precision.
>
> In other words, we can now handle floating point equals operations,
> and the resolution of the test tracks the precision of how we print
> the values.
>
> So if the PCR is -0.243461, this now works when the precision is 6 (the
> default)
>
> ra - pcr -0.243461
>
> Change the precision to 3 ( -p 3), the printed value becomes -0.243, and
> now this works,
>
> ra - pcr -0.243
>
> but the earlier filter doesn't...
>
> Give this a try, should solve CS Lee's request.
> 26 also provides some man page changes, and minor issues.
> Grab if you have an interest, and some time !!!
>
> Carter
>
> On May 1, 2014, at 4:35 PM, Carter Bullard <carter at qosient.com> wrote:
>
> Hey CS Lee,
> Since you started this, I'll bother you with the developers notes ;O)
>
> So for our floating point equivalence test, I'm going to test the sign and
> integer parts noramlly, and for the fractional part, I'm going to round
> (normalize) the value to our precision specification (which is set to 6
> digits by default) + 1, and adjust the floating adjustment error to cover
> the precision. don't want to get into a rounding problem here.
>
> So we'll basically round to the precision but deal with the round down
> error problem, when we have to ...
> Carter
>
> On May 1, 2014, at 9:00 AM, CS Lee <geek00l at gmail.com> wrote:
>
> hi Carter, John,
>
> Thank you, great explanation and good read for me.
>
>
> On Thu, May 1, 2014 at 8:45 PM, Carter Bullard <carter at qosient.com> wrote:
>
>> John is completely correct. We are currently converting the string that
>> you provide in the fliter to a binary float, and then doing numeric
>> comparisons with the floats in the record. Hard to get equivalence.
>>
>> Here is an article that talks to the issues:
>>
>>
>> http://www.cygnus-software.com/papers/comparingfloats/comparingfloats.htm
>>
>> I've implemented routines to do the comparisons, as we have to deal with
>> -0.0,
>> and will try to implement a comparison that should work better.
>>
>> Carter
>>
>>
>>
>> On May 1, 2014, at 2:19 AM, CS Lee <geek00l at gmail.com> wrote:
>>
>> hi John,
>>
>> Thank you, just have to clear this out so that there's no
>> misunderstanding and avoid people thinking it is broken in that case.
>>
>> The gt/lt/gte/lte works great then.
>>
>>
>>
>> On Thu, May 1, 2014 at 12:36 PM, <argus-info-request at lists.andrew.cmu.edu
>> > wrote:
>>
>>> Send Argus-info mailing list submissions to
>>> argus-info at lists.andrew.cmu.edu
>>>
>>> To subscribe or unsubscribe via the World Wide Web, visit
>>> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>>> or, via email, send a message with subject or body 'help' to
>>> argus-info-request at lists.andrew.cmu.edu
>>>
>>> You can reach the person managing the list at
>>> argus-info-owner at lists.andrew.cmu.edu
>>>
>>> When replying, please edit your Subject line so it is more specific
>>> than "Re: Contents of Argus-info digest..."
>>>
>>>
>>> Today's Topics:
>>>
>>> 1. Re: argus-clients 3.0.7.25 - floating point in filters
>>> (John Gerth)
>>> 2. Re: argus ppp teredo (Carter Bullard)
>>> 3. Re: argus ppp teredo (Carter Bullard)
>>>
>>>
>>> ----------------------------------------------------------------------
>>>
>>> Message: 1
>>> Date: Wed, 30 Apr 2014 20:22:18 -0700
>>> From: John Gerth <gerth at graphics.stanford.edu>
>>> Subject: Re: [ARGUS] argus-clients 3.0.7.25 - floating point in
>>> filters
>>> To: Argus <argus-info at lists.andrew.cmu.edu>
>>> Message-ID: <5361BDEA.7020605 at graphics.stanford.edu>
>>> Content-Type: text/plain; charset=UTF-8
>>>
>>> Exact comparison of floating point values is an extremely tricky
>>> business.
>>> Remember that even though the pcr below might print as " -0.573333 ", the
>>> print values are rounded by default to 6 significant figures. Also, IEEE
>>> binary floating point values have to be converted to decimal for printing
>>> so some bit patterns might not be exactly represented.
>>>
>>> When filtering on floating point, it's advisable to use a range, e.g
>>>
>>> ra .... - pcr gt -0.58 and pcr lt -0.57
>>>
>>>
>>> John Gerth
>>>
>>> On 4/30/14 7:49 PM, CS Lee wrote:
>>> > hi Carter,
>>> >
>>> > I grabbed the latest argus clients and still have problem with the
>>> filter, for example
>>> >
>>> > ra -nr ssh-normal.arg3 -s saddr daddr pcr
>>> > SrcAddr DstAddr PCRatio
>>> > 192.168.221.1 192.168.221.128 -0.320590
>>> > 192.168.221.1 192.168.221.128 -1.000000
>>> > 192.168.221.1 192.168.221.128 -0.758157
>>> > 192.168.221.1 192.168.221.128 -0.973510
>>> > 192.168.221.1 192.168.221.128 -0.771429
>>> > 192.168.221.1 192.168.221.128 -0.901993
>>> > 192.168.221.1 192.168.221.128 -0.261261
>>> > 192.168.221.1 192.168.221.128 -0.137255
>>> > 192.168.221.1 192.168.221.128 -0.411765
>>> > 192.168.221.1 192.168.221.128 -0.088608
>>> > 192.168.221.1 192.168.221.128 0.000000
>>> > 192.168.221.1 192.168.221.128 0.000000
>>> > 192.168.221.1 192.168.221.128 -0.024390
>>> > 192.168.221.1 192.168.221.128 -0.032258
>>> > 192.168.221.1 192.168.221.128 -0.573333
>>> > 192.168.221.1 192.168.221.128 -0.087719
>>> >
>>> > Looks good if I just use the filter to match rounded value -
>>> > ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq 0'
>>> > SrcAddr DstAddr PCRatio
>>> > 192.168.221.1 192.168.221.128 0.000000
>>> > 192.168.221.1 192.168.221.128 0.000000
>>> >
>>> > ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -1'
>>> > SrcAddr DstAddr PCRatio
>>> > 192.168.221.1 192.168.221.128 -1.000000
>>> >
>>> > For floating value, it seems not working -
>>> >
>>> > ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -0.573333'
>>> > No output
>>> >
>>> > ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -0.024390'
>>> > No output
>>> >
>>> > --
>>> > Best Regards,
>>> >
>>> > CS Lee<geek00L[at]gmail.com <http://gmail.com>>
>>> >
>>> > http://geek00l.blogspot.com
>>> > http://defcraft.net
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 2
>>> Date: Thu, 1 May 2014 00:29:23 -0400
>>> From: Carter Bullard <carter at qosient.com>
>>> Subject: Re: [ARGUS] argus ppp teredo
>>> To: CS Lee <geek00l at gmail.com>
>>> Cc: Argus <argus-info at lists.andrew.cmu.edu>
>>> Message-ID: <6FA8DB0B-905D-4FF9-9DD4-C74E486EC58D at qosient.com>
>>> Content-Type: text/plain; charset="us-ascii"
>>>
>>> Hey CS Lee,
>>> But these flows aren't teredo, or they would be ipv6 flows.
>>> Carter
>>>
>>> On Apr 30, 2014, at 10:40 PM, CS Lee <geek00l at gmail.com> wrote:
>>>
>>> > hi Carter,
>>> >
>>> > This is what I get from senc and denc, same thing -
>>> >
>>> > SrcAddr DstAddr sEnc dEnc
>>> > 94.197.69.162 83.170.6.76 p p
>>> > 83.170.6.77 94.197.69.162 p p
>>> > 94.197.69.162 83.170.6.76 p p
>>> > 94.197.69.162 83.170.6.76 p p
>>> > 94.197.69.162 83.170.6.76 p p
>>> > 94.197.69.162 83.170.6.76 p p
>>> >
>>> > That means the underlying teredo tunnel is not revealed by looking at
>>> the flow here unless examining the user data like I did in previous mail.
>>> >
>>> >
>>> >
>>> >
>>> > On Thu, May 1, 2014 at 10:31 AM, Carter Bullard <carter at qosient.com>
>>> wrote:
>>> > Hey CS Lee,
>>> > The flgs field overwrites values sometimes...you want to print the
>>> senc and denc fields to print all the encaps.
>>> >
>>> > ra -s +senc +denc
>>> >
>>> > Carter
>>> >
>>> > > On Apr 30, 2014, at 10:26 PM, CS Lee <geek00l at gmail.com> wrote:
>>> > >
>>> > > 83
>>> >
>>> >
>>> >
>>> > --
>>> > Best Regards,
>>> >
>>> > CS Lee<geek00L[at]gmail.com>
>>> >
>>> > http://geek00l.blogspot.com
>>> > http://defcraft.net
>>>
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL:
>>> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140501/f5fc0fe6/attachment-0001.html
>>> -------------- next part --------------
>>> A non-text attachment was scrubbed...
>>> Name: smime.p7s
>>> Type: application/pkcs7-signature
>>> Size: 6837 bytes
>>> Desc: not available
>>> Url :
>>> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140501/f5fc0fe6/attachment-0001.bin
>>>
>>> ------------------------------
>>>
>>> Message: 3
>>> Date: Thu, 1 May 2014 00:35:59 -0400
>>> From: Carter Bullard <carter at qosient.com>
>>> Subject: Re: [ARGUS] argus ppp teredo
>>> To: CS Lee <geek00l at gmail.com>
>>> Cc: Argus <argus-info at lists.andrew.cmu.edu>
>>> Message-ID: <9F046B42-5F49-44AF-8CF2-ACB0C75E5C6F at qosient.com>
>>> Content-Type: text/plain; charset="us-ascii"
>>>
>>> The patch I sent gets you past the ppp header parsing issues,
>>> but doesn't enable full teredo processing for ppp. This should
>>> be in argus-3.0.7.6 which I'll have up tomorrow ...
>>>
>>> Carter
>>>
>>> On May 1, 2014, at 12:29 AM, Carter Bullard <carter at qosient.com> wrote:
>>>
>>> > Hey CS Lee,
>>> > But these flows aren't teredo, or they would be ipv6 flows.
>>> > Carter
>>> >
>>> > On Apr 30, 2014, at 10:40 PM, CS Lee <geek00l at gmail.com> wrote:
>>> >
>>> >> hi Carter,
>>> >>
>>> >> This is what I get from senc and denc, same thing -
>>> >>
>>> >> SrcAddr DstAddr sEnc dEnc
>>> >> 94.197.69.162 83.170.6.76 p p
>>> >> 83.170.6.77 94.197.69.162 p p
>>> >> 94.197.69.162 83.170.6.76 p p
>>> >> 94.197.69.162 83.170.6.76 p p
>>> >> 94.197.69.162 83.170.6.76 p p
>>> >> 94.197.69.162 83.170.6.76 p p
>>> >>
>>> >> That means the underlying teredo tunnel is not revealed by looking at
>>> the flow here unless examining the user data like I did in previous mail.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> On Thu, May 1, 2014 at 10:31 AM, Carter Bullard <carter at qosient.com>
>>> wrote:
>>> >> Hey CS Lee,
>>> >> The flgs field overwrites values sometimes...you want to print the
>>> senc and denc fields to print all the encaps.
>>> >>
>>> >> ra -s +senc +denc
>>> >>
>>> >> Carter
>>> >>
>>> >> > On Apr 30, 2014, at 10:26 PM, CS Lee <geek00l at gmail.com> wrote:
>>> >> >
>>> >> > 83
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Best Regards,
>>> >>
>>> >> CS Lee<geek00L[at]gmail.com>
>>> >>
>>> >> http://geek00l.blogspot.com
>>> >> http://defcraft.net
>>> >
>>>
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL:
>>> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140501/dd055c5b/attachment.html
>>> -------------- next part --------------
>>> A non-text attachment was scrubbed...
>>> Name: smime.p7s
>>> Type: application/pkcs7-signature
>>> Size: 6837 bytes
>>> Desc: not available
>>> Url :
>>> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140501/dd055c5b/attachment.bin
>>>
>>> ------------------------------
>>>
>>> _______________________________________________
>>> Argus-info mailing list
>>> Argus-info at lists.andrew.cmu.edu
>>> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>>>
>>>
>>> End of Argus-info Digest, Vol 105, Issue 1
>>> ******************************************
>>>
>>
>>
>>
>> --
>> Best Regards,
>>
>> CS Lee<geek00L[at]gmail.com>
>>
>> http://geek00l.blogspot.com
>> http://defcraft.net
>>
>>
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
>
>
>
--
Best Regards,
CS Lee<geek00L[at]gmail.com>
http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140503/8ed8535e/attachment.html>
More information about the argus
mailing list