[ARGUS] ARGUSBug Argus server occasionally generates an invalid meter DSR in a flow record
Reed, Joel via Argus-info
argus-info at lists.andrew.cmu.edu
Wed Feb 27 15:56:36 EST 2019
Hey Carter,
I have attached a binary argus file with the problem record. It was captured directly from Argus.
When the record has been put in a file by itself, the bytes and packets are 0 like below. When the record is in the file with another record before it, the client prints the bytes and packet values from the previous record.
$ ra -r prob_rec.argus
StartTime Flgs Proto SrcAddr Sport SrcPkts SrcBytes Dir DstAddr Dport DstPkts DstBytes State
2019-02-27T10:33:36.493615 EST * * tcp 160.91.94.169.2049 0 0 ? 160.91.86.74.1023 0 0 CON
All is well here. Hope all is well with you!
Thanks,
Joel
On Feb 27, 2019, at 2:14 PM, carter at qosient.com<mailto:carter at qosient.com> wrote:
Hey Joel,
Can you send a binary argus file that has one of the records in it ??? Is this record coming directly from argus or is it coming from a client … radium.1 ???
There is a lot of data compression going on with the Meter DSR, and the client library will attempt to pack the metrics into as little space as possible, such that, if all the values are less than 256, then all the metrics are reported as a char array. I suspect that the Meter DSR has been compressed, but the final type description is getting dropped.
What do the argus-clients do with this record … do they print out anything at all or do they jump past this DSR ???
Hope all is going well down in Tennesseeeeeeeeeee land !!!!
Carter
On Feb 27, 2019, at 2:01 PM, Reed, Joel via Argus-info <argus-info at lists.andrew.cmu.edu<mailto:argus-info at lists.andrew.cmu.edu>> wrote:
>Description:
The Argus server occasionally generates a flow record with a meter DSR that is not properly parsed by the ra client. This causes the packet, byte, and appbytes counts to be incorrect, usually containing at least some count values from the previous flow record. Below I have included a partial dump of the of the problematic flow record. The meter DSR subtype 0x04 (includes app bytes) has a qualifier of 0x00. The meter DSR parser (common/argus_client.c:~2223) does not have a case to process a meter DSR subtype 0x04, qualifier of 0x00.
Partial hex dump of the flow record:
01: 13 20 00 39 -- Type 0x10 (FAR), version 3, 0x20 continuation, length 0x39
02: 01 03 00 03 -- Transport DSR
03: 00 00 00 00 |
04: e1 12 61 ff |
05: 02 01 01 05 -- Flow DSR
06: a0 5b 56 4a |
07: a0 5b 5e a9 |
08: 06 00 03 ff |
09: 08 01 00 00 |
0a: 03 02 18 05 -- Time DSR
0b: 5c 76 ad d0 |
0c: 00 07 88 2f |
0d: 5c 76 ad f0 |
0e: 00 05 41 67 |
0f: 10 04 00 05 -- Meter DSR, subtype 0x04, qualifier 0x00, length 0x05
10: 30 00 00 01 |
11: 40 00 01 02 |
12: 01 f4 00 00 |
13: 48 00 01 02 |
14: 30 05 00 1e -- Network DSR
15: ...
>How-To-Repeat:
Unknown. We see approximately one of these per hour.
>Fix:
Unknown.
>Originator: Joel Reed <reedjw at ornl.gov<mailto:reedjw at ornl.gov>>
>Organization:
ORNL
>ARGUS support: none
>Release: argus-3.0
>Product: argus
>Synopsis: Argus server occasionally generates an invalid meter DSR in a flow record
>Class: sw-bug
>Severity: non-critical
>Priority: low
>Environment:
ARGUS: Argus Version 3.0.8.2
RA: Ra Version 3.0.8.2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20190227/ae8bc273/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: prob_rec.argus
Type: application/octet-stream
Size: 356 bytes
Desc: prob_rec.argus
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20190227/ae8bc273/attachment-0001.obj>
More information about the argus
mailing list