Re: Patches to argus-clients-3.0.0.rc.15

	Below are a pair of patch sets one each for (argus-clients-2.0.6.fixes.1
and argus-clients-3.0.0.rc.15, the 2.0.6 patch is in another message because
the combined one hit the list moderation limit ) that almost fix most of 
the errors that occur when comparing 2.0.6 ra output to 3.0 ra output. The 
user data stuff is still broken (looks like thats a Carter task ) because I 
can't quite figure out what its supposed to do .
	While fixing the tcp window code, the thought struck that it would be
interesting to know that a window hit 0 (indicating host buffer conjestion) and
for how long.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

 argus-clients-3.0.0.rc.15

*** common/argus_util.c.orig	Sun Jul  2 15:24:45 2006
--- common/argus_util.c	Wed Jul  5 19:33:14 2006
***************
*** 2869,2887 ****

                          case IPPROTO_ICMP: {
                             char type[32];
!                            sprintf (type, "%d", flow->flow_un.icmp.type);
                             if ((parser->RaFieldDelimiter != ' ') && (parser->RaFieldDelimiter != '\0')) {
                                switch (parser->RaFieldWidth) {
                                   case RA_FIXED_WIDTH:
                                      sprintf (&buf[strlen(buf)], "%-*.*s%c", len, len, type, parser->RaFieldDelimiter);
                                      break;
                                   default:
!                                     sprintf (&buf[strlen(buf)], "%d%c", flow->flow_un.icmp.type, parser->RaFieldDelimiter);

Re:and argus-clients-2.0.6.fixes.1

	And the 2.0.6.fixes.1 patch gzipped (too big otherwise :

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

Patches to argus-clients-3.0.0.rc.15 and argus-clients-2.0.6.fixes.1

	Below are a pair of patch sets one each for (argus-clients-2.0.6.fixes.1
and argus-clients-3.0.0.rc.15) that almost fix most of the errors that occur
when comparing 2.0.6 ra output to 3.0 ra output. The user data stuff is still
broken (looks like thats a Carter task :-)) because I can't quite figure out
what its supposed to do :-).
	While fixing the tcp window code, the thought struck that it would be
interesting to know that a window hit 0 (indicating host buffer conjestion) and
for how long.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

 argus-clients-3.0.0.rc.15

*** common/argus_util.c.orig	Sun Jul  2 15:24:45 2006
--- common/argus_util.c	Wed Jul  5 19:33:14 2006
***************
*** 2869,2887 ****
  
                          case IPPROTO_ICMP: {
                             char type[32];
!                            sprintf (type, "%d", flow->flow_un.icmp.type);
                             if ((parser->RaFieldDelimiter != ' ') && (parser->RaFieldDelimiter != '\0')) {
                                switch (parser->RaFieldWidth) {
                                   case RA_FIXED_WIDTH:
                                      sprintf (&buf[strlen(buf)], "%-*.*s%c", len, len, type, parser->RaFieldDelimiter);
                                      break;
                                   default:
!                                     sprintf (&buf[strlen(buf)], "%d%c", flow->flow_un.icmp.type, parser->RaFieldDelimiter);
                                      break;

starttime differences between Argus2 and Argus3

  Hello,

i am running argus-3.0.0.rc.14 together with argus 2.0.6 on the same
interface. Comparing the output of ragator/racluster gives nearly
identical lines. 

On some tcp connections (perhaps 10%) the start time
differs by 3 seconds. All differences are 3 seconds like:

07-08-06 02:05:49.345846
07-08-06 02:05:52.344568

07-08-06 04:05:44.004545 
07-08-06 04:05:47.004503 

  Ciao
     Dietmar

--

-- 
 Alles Gute / best wishes  
     Dietmar Goldbeck         E-Mail: dietmar.goldbeck <at> schotterweg.de
Reporter (to Mahatma Gandhi): Mr Gandhi, what do you think of Western
Civilization?  Gandhi: I think it would be a good idea.

No pidfile support in Argus 3.0?

Hey Carter,

I'm running into some packaging problems with the new Argus, in terms of
initscripts and a lack of pid files.

Even the pid reported when Argus starts isn't really indicative of the
running pid:

apollock <at> lazarus:/$ sudo /usr/sbin/argus
argus[6592]: 08 Jul 06 23:34:09.846194 started
apollock <at> lazarus:/$ ps ax | grep argus
 6594 ?        Ss     0:00 /usr/sbin/argus
 6596 pts/0    R+     0:00 grep argus

Can you bring back the options that support pidfile creation?

regards

Andrew

Re: Patches to argus-clients-3.0.0.rc.15 andargus-clients-2.0.6.fixes.1

Hey Peter,
Thanks for the patches!!!  I am not doing anything with the Argus 2.x code, so if you would/could ablidge, and send a tar file that is your current image, I'll put it one the server as the last 2.x update, when we're done with this effort!!!

OK,  we are providing the info you're interested in, with regard to the window going to 0 ( flag indicators 'S/R' and filter support ' shut ') and the 'Idle' interpacket arrival numbers have the stats on how long the TCP was flow controlled.

Carter
Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: Peter Van Epp <vanepp <at> sfu.ca>
Date: Wed, 5 Jul 2006 19:53:55 
To:argus-info <at> lists.andrew.cmu.edu
Subject: [ARGUS] Patches to argus-clients-3.0.0.rc.15 and
	argus-clients-2.0.6.fixes.1

	Below are a pair of patch sets one each for (argus-clients-2.0.6.fixes.1
and argus-clients-3.0.0.rc.15) that almost fix most of the errors that occur
when comparing 2.0.6 ra output to 3.0 ra output. The user data stuff is still
broken (looks like thats a Carter task :-)) because I can't quite figure out
what its supposed to do :-).
	While fixing the tcp window code, the thought struck that it would be
interesting to know that a window hit 0 (indicating host buffer conjestion) and
for how long.

Peter Van Epp / Operations and Technical Support 

Re: No pidfile support in Argus 3.0?

Hey Andrew,
There is pid file support in argus, at least there is suppose to be,
and it is on by default.   On one of my mac's, argus created this
lock file:

    /var/run/argus.en0.0.pid

So, in the clients I added a pid target directory option to the .rarc
file, will we need that here?

I moved the 'started' statement so that it has the daemon's pid
if you use the '-d' or DAEMON option in the .conf file.

Any other issues?

Carter

On Jul 9, 2006, at 4:55 PM, Andrew Pollock wrote:

> Hey Carter,
>
> I'm running into some packaging problems with the new Argus, in  
> terms of
> initscripts and a lack of pid files.
>
> Even the pid reported when Argus starts isn't really indicative of the
> running pid:
>
> apollock <at> lazarus:/$ sudo /usr/sbin/argus
> argus[6592]: 08 Jul 06 23:34:09.846194 started

Re: starttime differences between Argus2 and Argus3

argus-clients-3.0.0.rc.15

	In addition to the user data printing, I also haven't been able to
figure out how to cause common/argus_util.c:ArgusConvertRecord to put the 
icmp data in to net->net.union.icmp where the data handling routine is 
expecting to find it (and thus thinks everything is an ECR when the type field
is the default 0). This doesn't seem to work:

                     case ARGUS_V2_ICMP_DSR_STATUS: {
                        struct ArgusV2ICMPObject *nv2icmp = (struct ArgusV2ICMPO
bject *)hdrs[ARGUS_V2_ICMP_DSR_INDEX];
                        struct ArgusV2FarStruct  *far = (struct ArgusV2FarStruct
 *)hdrs[ARGUS_V2_FAR_DSR_INDEX];
                        struct ArgusNetworkStruct *net = (struct ArgusNetworkStr
uct *) dsr;
                        struct ArgusIcmpStruct *icmp = (struct ArgusIcmpStruct *
) &net->net_union.icmp;

                        icmp->hdr.type            = ARGUS_NETWORK_DSR;
                        icmp->hdr.subtype         = 0;
...

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

argus-3.0.0.rc.14

Hello,

   I am trying to set up a new argus sensor using argus-3.0.0.rc.14 (on
a SunFire V120 Sparc arch. running Solaris 10) and am not getting safely
out of the configure stage. It looks as though it is missing some type
definitions from what I read in the config.log, however not being an
experienced developer I am including that log for you guys. If someone
can tell me if there is something wrong on my box or if this is a
previously unseen bug I would appreciate it.

   I have reinstalled the OS and tried this cleanly several times. I am
also willing to try any suggestions to address this issue.

Thank you,

Karl Tatgenhorst