racluster 3.0.6 vs 3.0.8 default aggregation?

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Tue Dec 20 10:38:46 EST 2016 

Hey Patrick,
Try argus-clients-3.0.8.2, which is the latest version.

You aren’t going too crazy … 3.0.6 is correct, 3.0.8 is also correct, in that it does aggregate correctly, but testing reverse flow directions is not the default.   I believe that that was changed back in argus-clients-3.0.8.2.   Add “proto” to the mask definition in your last call, as the ports don’t really decode properly if we’ve thrown out the proto field.

Carter

> On Dec 20, 2016, at 4:31 AM, Patrick Forsberg via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
> 
> Hi,
> 
> I'm going nuts over aggregation in 3.0.6 and 3.0.8 and realize that I obviously haven't understood a thing.
> 
> Given a simple UDP flow between two hosts
> # ra -X -r /tmp/ratest 
>         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State 
>   09:04:56.941624  e           udp          100.0.1.1.42461     ->          100.0.2.1.59307         1         77   INT
>   09:04:57.064776  e           udp          100.0.2.1.59307     ->          100.0.1.1.42461         1         62   INT
> 
> Simply running racluster with no configuration files (-X) gives different results on 3.0.6 and 3.0.8
> 
> #  /usr/local/src/Argus/argus-clients-3.0.6/bin/racluster -X -s+trans -r /tmp/ratest
>         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  Trans 
>   09:04:56.941624  e           udp          100.0.1.1.42461    <->          100.0.2.1.59307         2        139   CON      2
> 
> #  /usr/local/src/Argus/argus-clients-3.0.8/bin/racluster -X -s+trans -r /tmp/ratest
>         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  Trans 
>   09:04:56.941624  e           udp          100.0.1.1.42461     ->          100.0.2.1.59307         1         77   INT      1
>   09:04:57.064776  e           udp          100.0.2.1.59307     ->          100.0.1.1.42461         1         62   INT      1
> 
> It seems that 3.0.6 has the "expected behavior" for me.
> 
> Running 3.0.8 with "-M correct" gives the same result as for 3.0.6
> 
> #  /usr/local/src/Argus/argus-clients-3.0.8/bin/racluster -X -M correct -s+trans -r /tmp/ratest
>         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  Trans 
>   09:04:56.941624  e           udp          100.0.1.1.42461    <->          100.0.2.1.59307         2        139   CON      2
> 
> This implies that 3.0.8 doesn't use the classic 5-tuple (what is the classic 5-tuple by the way?) and I thought I was on to something until I tried
> 
> #  /usr/local/src/Argus/argus-clients-3.0.8/bin/racluster -X -m saddr daddr sport dport -M correct -s+trans -r /tmp/ratest
>         StartTime      Flgs  Proto            SrcAddr  Sport   Dir            DstAddr  Dport  TotPkts   TotBytes State  Trans 
>   09:04:56.941624  e           udp          100.0.1.1.42461     ->          100.0.2.1.59307         1         77   INT      1
>   09:04:57.064776  e           udp          100.0.2.1.59307     ->          100.0.1.1.42461         1         62   INT      1
> 
> Now all of a sudden "-M correct" doesn't seem to help in aggregating the records.
> 
> What am I missing here?
> 
> /Patrick
>

More information about the argus mailing list