Argus-info Digest, Vol 105, Issue 1
CS Lee
geek00l at gmail.com
Sat May 3 09:49:35 EDT 2014
hi Carter,
The -- works as well, the single quote is not needed if using --
On Sat, May 3, 2014 at 9:42 PM, Carter Bullard <carter at qosient.com> wrote:
> Does the filter work if you use -- to separate the filter from the options
> ???
> Carter
>
>
> On May 3, 2014, at 9:38 AM, CS Lee <geek00l at gmail.com> wrote:
>
> hi Carter,
>
> I have downloaded latest argus client and performed the test, it works
> brilliantly, the way you implemented the -p option is definitely neat for
> matching precision.
>
> I'm not sure about other shell, if you are running argus client on ubuntu,
> or you need is using single quote for the filter, for example
>
> ra -nr file.arg3 -s saddr daddr pcr - 'pcr eq -0.312345'
>
> Thank you!
>
>
> On Sat, May 3, 2014 at 10:50 AM, Carter Bullard <carter at qosient.com>wrote:
>
>> Gentle people,
>> So I uploaded argus-clients-3.0.7.26, which handles floating point
>> equivalence tests that are sensitive to the argus precision.
>>
>> In other words, we can now handle floating point equals operations,
>> and the resolution of the test tracks the precision of how we print
>> the values.
>>
>> So if the PCR is -0.243461, this now works when the precision is 6 (the
>> default)
>>
>> ra - pcr -0.243461
>>
>> Change the precision to 3 ( -p 3), the printed value becomes -0.243, and
>> now this works,
>>
>> ra - pcr -0.243
>>
>> but the earlier filter doesn't...
>>
>> Give this a try, should solve CS Lee's request.
>> 26 also provides some man page changes, and minor issues.
>> Grab if you have an interest, and some time !!!
>>
>> Carter
>>
>> On May 1, 2014, at 4:35 PM, Carter Bullard <carter at qosient.com> wrote:
>>
>> Hey CS Lee,
>> Since you started this, I'll bother you with the developers notes ;O)
>>
>> So for our floating point equivalence test, I'm going to test the sign
>> and integer parts noramlly, and for the fractional part, I'm going to round
>> (normalize) the value to our precision specification (which is set to 6
>> digits by default) + 1, and adjust the floating adjustment error to cover
>> the precision. don't want to get into a rounding problem here.
>>
>> So we'll basically round to the precision but deal with the round down
>> error problem, when we have to ...
>> Carter
>>
>> On May 1, 2014, at 9:00 AM, CS Lee <geek00l at gmail.com> wrote:
>>
>> hi Carter, John,
>>
>> Thank you, great explanation and good read for me.
>>
>>
>> On Thu, May 1, 2014 at 8:45 PM, Carter Bullard <carter at qosient.com>wrote:
>>
>>> John is completely correct. We are currently converting the string that
>>> you provide in the fliter to a binary float, and then doing numeric
>>> comparisons with the floats in the record. Hard to get equivalence.
>>>
>>> Here is an article that talks to the issues:
>>>
>>>
>>> http://www.cygnus-software.com/papers/comparingfloats/comparingfloats.htm
>>>
>>> I've implemented routines to do the comparisons, as we have to deal with
>>> -0.0,
>>> and will try to implement a comparison that should work better.
>>>
>>> Carter
>>>
>>>
>>>
>>> On May 1, 2014, at 2:19 AM, CS Lee <geek00l at gmail.com> wrote:
>>>
>>> hi John,
>>>
>>> Thank you, just have to clear this out so that there's no
>>> misunderstanding and avoid people thinking it is broken in that case.
>>>
>>> The gt/lt/gte/lte works great then.
>>>
>>>
>>>
>>> On Thu, May 1, 2014 at 12:36 PM, <
>>> argus-info-request at lists.andrew.cmu.edu> wrote:
>>>
>>>> Send Argus-info mailing list submissions to
>>>> argus-info at lists.andrew.cmu.edu
>>>>
>>>> To subscribe or unsubscribe via the World Wide Web, visit
>>>> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>>>> or, via email, send a message with subject or body 'help' to
>>>> argus-info-request at lists.andrew.cmu.edu
>>>>
>>>> You can reach the person managing the list at
>>>> argus-info-owner at lists.andrew.cmu.edu
>>>>
>>>> When replying, please edit your Subject line so it is more specific
>>>> than "Re: Contents of Argus-info digest..."
>>>>
>>>>
>>>> Today's Topics:
>>>>
>>>> 1. Re: argus-clients 3.0.7.25 - floating point in filters
>>>> (John Gerth)
>>>> 2. Re: argus ppp teredo (Carter Bullard)
>>>> 3. Re: argus ppp teredo (Carter Bullard)
>>>>
>>>>
>>>> ----------------------------------------------------------------------
>>>>
>>>> Message: 1
>>>> Date: Wed, 30 Apr 2014 20:22:18 -0700
>>>> From: John Gerth <gerth at graphics.stanford.edu>
>>>> Subject: Re: [ARGUS] argus-clients 3.0.7.25 - floating point in
>>>> filters
>>>> To: Argus <argus-info at lists.andrew.cmu.edu>
>>>> Message-ID: <5361BDEA.7020605 at graphics.stanford.edu>
>>>> Content-Type: text/plain; charset=UTF-8
>>>>
>>>> Exact comparison of floating point values is an extremely tricky
>>>> business.
>>>> Remember that even though the pcr below might print as " -0.573333 ",
>>>> the
>>>> print values are rounded by default to 6 significant figures. Also,
>>>> IEEE
>>>> binary floating point values have to be converted to decimal for
>>>> printing
>>>> so some bit patterns might not be exactly represented.
>>>>
>>>> When filtering on floating point, it's advisable to use a range, e.g
>>>>
>>>> ra .... - pcr gt -0.58 and pcr lt -0.57
>>>>
>>>>
>>>> John Gerth
>>>>
>>>> On 4/30/14 7:49 PM, CS Lee wrote:
>>>> > hi Carter,
>>>> >
>>>> > I grabbed the latest argus clients and still have problem with the
>>>> filter, for example
>>>> >
>>>> > ra -nr ssh-normal.arg3 -s saddr daddr pcr
>>>> > SrcAddr DstAddr PCRatio
>>>> > 192.168.221.1 192.168.221.128 -0.320590
>>>> > 192.168.221.1 192.168.221.128 -1.000000
>>>> > 192.168.221.1 192.168.221.128 -0.758157
>>>> > 192.168.221.1 192.168.221.128 -0.973510
>>>> > 192.168.221.1 192.168.221.128 -0.771429
>>>> > 192.168.221.1 192.168.221.128 -0.901993
>>>> > 192.168.221.1 192.168.221.128 -0.261261
>>>> > 192.168.221.1 192.168.221.128 -0.137255
>>>> > 192.168.221.1 192.168.221.128 -0.411765
>>>> > 192.168.221.1 192.168.221.128 -0.088608
>>>> > 192.168.221.1 192.168.221.128 0.000000
>>>> > 192.168.221.1 192.168.221.128 0.000000
>>>> > 192.168.221.1 192.168.221.128 -0.024390
>>>> > 192.168.221.1 192.168.221.128 -0.032258
>>>> > 192.168.221.1 192.168.221.128 -0.573333
>>>> > 192.168.221.1 192.168.221.128 -0.087719
>>>> >
>>>> > Looks good if I just use the filter to match rounded value -
>>>> > ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq 0'
>>>> > SrcAddr DstAddr PCRatio
>>>> > 192.168.221.1 192.168.221.128 0.000000
>>>> > 192.168.221.1 192.168.221.128 0.000000
>>>> >
>>>> > ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -1'
>>>> > SrcAddr DstAddr PCRatio
>>>> > 192.168.221.1 192.168.221.128 -1.000000
>>>> >
>>>> > For floating value, it seems not working -
>>>> >
>>>> > ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -0.573333'
>>>> > No output
>>>> >
>>>> > ra -nr ssh-normal.arg3 -s saddr daddr pcr - 'pcr eq -0.024390'
>>>> > No output
>>>> >
>>>> > --
>>>> > Best Regards,
>>>> >
>>>> > CS Lee<geek00L[at]gmail.com <http://gmail.com>>
>>>> >
>>>> > http://geek00l.blogspot.com
>>>> > http://defcraft.net
>>>>
>>>>
>>>> ------------------------------
>>>>
>>>> Message: 2
>>>> Date: Thu, 1 May 2014 00:29:23 -0400
>>>> From: Carter Bullard <carter at qosient.com>
>>>> Subject: Re: [ARGUS] argus ppp teredo
>>>> To: CS Lee <geek00l at gmail.com>
>>>> Cc: Argus <argus-info at lists.andrew.cmu.edu>
>>>> Message-ID: <6FA8DB0B-905D-4FF9-9DD4-C74E486EC58D at qosient.com>
>>>> Content-Type: text/plain; charset="us-ascii"
>>>>
>>>> Hey CS Lee,
>>>> But these flows aren't teredo, or they would be ipv6 flows.
>>>> Carter
>>>>
>>>> On Apr 30, 2014, at 10:40 PM, CS Lee <geek00l at gmail.com> wrote:
>>>>
>>>> > hi Carter,
>>>> >
>>>> > This is what I get from senc and denc, same thing -
>>>> >
>>>> > SrcAddr DstAddr sEnc dEnc
>>>> > 94.197.69.162 83.170.6.76 p p
>>>> > 83.170.6.77 94.197.69.162 p p
>>>> > 94.197.69.162 83.170.6.76 p p
>>>> > 94.197.69.162 83.170.6.76 p p
>>>> > 94.197.69.162 83.170.6.76 p p
>>>> > 94.197.69.162 83.170.6.76 p p
>>>> >
>>>> > That means the underlying teredo tunnel is not revealed by looking at
>>>> the flow here unless examining the user data like I did in previous mail.
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > On Thu, May 1, 2014 at 10:31 AM, Carter Bullard <carter at qosient.com>
>>>> wrote:
>>>> > Hey CS Lee,
>>>> > The flgs field overwrites values sometimes...you want to print the
>>>> senc and denc fields to print all the encaps.
>>>> >
>>>> > ra -s +senc +denc
>>>> >
>>>> > Carter
>>>> >
>>>> > > On Apr 30, 2014, at 10:26 PM, CS Lee <geek00l at gmail.com> wrote:
>>>> > >
>>>> > > 83
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Best Regards,
>>>> >
>>>> > CS Lee<geek00L[at]gmail.com>
>>>> >
>>>> > http://geek00l.blogspot.com
>>>> > http://defcraft.net
>>>>
>>>> -------------- next part --------------
>>>> An HTML attachment was scrubbed...
>>>> URL:
>>>> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140501/f5fc0fe6/attachment-0001.html
>>>> -------------- next part --------------
>>>> A non-text attachment was scrubbed...
>>>> Name: smime.p7s
>>>> Type: application/pkcs7-signature
>>>> Size: 6837 bytes
>>>> Desc: not available
>>>> Url :
>>>> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140501/f5fc0fe6/attachment-0001.bin
>>>>
>>>> ------------------------------
>>>>
>>>> Message: 3
>>>> Date: Thu, 1 May 2014 00:35:59 -0400
>>>> From: Carter Bullard <carter at qosient.com>
>>>> Subject: Re: [ARGUS] argus ppp teredo
>>>> To: CS Lee <geek00l at gmail.com>
>>>> Cc: Argus <argus-info at lists.andrew.cmu.edu>
>>>> Message-ID: <9F046B42-5F49-44AF-8CF2-ACB0C75E5C6F at qosient.com>
>>>> Content-Type: text/plain; charset="us-ascii"
>>>>
>>>> The patch I sent gets you past the ppp header parsing issues,
>>>> but doesn't enable full teredo processing for ppp. This should
>>>> be in argus-3.0.7.6 which I'll have up tomorrow ...
>>>>
>>>> Carter
>>>>
>>>> On May 1, 2014, at 12:29 AM, Carter Bullard <carter at qosient.com> wrote:
>>>>
>>>> > Hey CS Lee,
>>>> > But these flows aren't teredo, or they would be ipv6 flows.
>>>> > Carter
>>>> >
>>>> > On Apr 30, 2014, at 10:40 PM, CS Lee <geek00l at gmail.com> wrote:
>>>> >
>>>> >> hi Carter,
>>>> >>
>>>> >> This is what I get from senc and denc, same thing -
>>>> >>
>>>> >> SrcAddr DstAddr sEnc dEnc
>>>> >> 94.197.69.162 83.170.6.76 p p
>>>> >> 83.170.6.77 94.197.69.162 p p
>>>> >> 94.197.69.162 83.170.6.76 p p
>>>> >> 94.197.69.162 83.170.6.76 p p
>>>> >> 94.197.69.162 83.170.6.76 p p
>>>> >> 94.197.69.162 83.170.6.76 p p
>>>> >>
>>>> >> That means the underlying teredo tunnel is not revealed by looking
>>>> at the flow here unless examining the user data like I did in previous mail.
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >> On Thu, May 1, 2014 at 10:31 AM, Carter Bullard <carter at qosient.com>
>>>> wrote:
>>>> >> Hey CS Lee,
>>>> >> The flgs field overwrites values sometimes...you want to print the
>>>> senc and denc fields to print all the encaps.
>>>> >>
>>>> >> ra -s +senc +denc
>>>> >>
>>>> >> Carter
>>>> >>
>>>> >> > On Apr 30, 2014, at 10:26 PM, CS Lee <geek00l at gmail.com> wrote:
>>>> >> >
>>>> >> > 83
>>>> >>
>>>> >>
>>>> >>
>>>> >> --
>>>> >> Best Regards,
>>>> >>
>>>> >> CS Lee<geek00L[at]gmail.com>
>>>> >>
>>>> >> http://geek00l.blogspot.com
>>>> >> http://defcraft.net
>>>> >
>>>>
>>>> -------------- next part --------------
>>>> An HTML attachment was scrubbed...
>>>> URL:
>>>> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140501/dd055c5b/attachment.html
>>>> -------------- next part --------------
>>>> A non-text attachment was scrubbed...
>>>> Name: smime.p7s
>>>> Type: application/pkcs7-signature
>>>> Size: 6837 bytes
>>>> Desc: not available
>>>> Url :
>>>> https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140501/dd055c5b/attachment.bin
>>>>
>>>> ------------------------------
>>>>
>>>> _______________________________________________
>>>> Argus-info mailing list
>>>> Argus-info at lists.andrew.cmu.edu
>>>> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>>>>
>>>>
>>>> End of Argus-info Digest, Vol 105, Issue 1
>>>> ******************************************
>>>>
>>>
>>>
>>>
>>> --
>>> Best Regards,
>>>
>>> CS Lee<geek00L[at]gmail.com>
>>>
>>> http://geek00l.blogspot.com
>>> http://defcraft.net
>>>
>>>
>>
>>
>> --
>> Best Regards,
>>
>> CS Lee<geek00L[at]gmail.com>
>>
>> http://geek00l.blogspot.com
>> http://defcraft.net
>>
>>
>>
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
>
>
--
Best Regards,
CS Lee<geek00L[at]gmail.com>
http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140503/b80bdf5c/attachment.html>
More information about the argus
mailing list