Peter Van Epp | 1 Sep 23:55 2006
Picon
Picon

mystery explained

	It appears the loss of capture data that I'm seeing is a PF_ring pcap
bug. If you start and stop a tcpdump on the same interfaces that argus is
listening on, the stop of tcpdump takes the interface out of promiscious mode
(leaving argus only seeing broadcasts ...). Something else to add to my list
of things to fix :-).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

Christopher Jones | 5 Sep 23:54 2006
Picon

Getting text file from argus data file

All,

I'm trying to get a human readable file from argus data files.  It
looks like the raxml client is no longer in argus as of version 3.0.
Is there a client that writes human readable output of argus data
files to a file.  I could always pipe output from an argus client's
stdout to file but was hoping for a more elegant solution.

Thanks,

Chris

Russell Fulton | 5 Sep 23:58 2006
Picon
Picon

Re: Getting text file from argus data file


Christopher Jones wrote:
> All,
> 
> I'm trying to get a human readable file from argus data files.  It
> looks like the raxml client is no longer in argus as of version 3.0.
> Is there a client that writes human readable output of argus data
> files to a file.  I could always pipe output from an argus client's
> stdout to file but was hoping for a more elegant solution.

I just redirect ra output to disk.

Russell

Earl | 8 Sep 15:47 2006

Directionality


Is there any info available anywhere or can someone point out
changes (if any) in the 3.x branch over the 2.x branch of the logic
argus utilizes to determin directionality?

Thanks.

Earl
Carter Bullard | 8 Sep 16:11 2006

Re: Directionality

Hey Earl,
The changes between 2.x and 3.0 are rather extensive, and of
course the 3.0 branch has a few bugs still, so a description of the
actual changes that impact directionality is probably a bit premature.

I can say, however, what we're trying to achieve.  Argus, from v  
0.9-2.x,
has tried very hard to determine the originator of a flow, so that for
protocols such as UDP/TCP, the destination port number would represent
the actual service port number of the flow.  This has worked well, in  
both
symmetric and asymmetric routing networks, but it can be fooled by
stealthy scan methods (TCP syn_ack and some rare RST
scans can be reported to be going in the opposite direction).

Before 3.0, Argus would try to do the directionality, but in 3.0, we're
shifting that responsibility to the clients.  The goal is to make Argus
less complex and accurate for what it observes (rather than what
it think it observes), which should enable the client the flexibility to
"correct" the direction if the user wants that functionality (that will
be the default).  The concept is that argus will tell you what was on
the wire, with enough additional information so that the clients can
figure out what it really means, if anything.

In our testing, we're close, and I'm working on fixing a bug that Peter
noticed.  Once we're done, Argus 3.0 should be considered more
accurate than Argus 2.x.

If you'd like more detail on how the directionality is reported, send
email and I'll try to fill in the gaps.
(Continue reading)

Earl | 9 Sep 23:39 2006

Re: Directionality


Carter,

This works for now.  I'll ping you out-of-band if I have any
specifics.  Thanks for taking time to share the vision.

Earl

On Fri, 08 Sep 2006 10:11:04 -0400 Carter Bullard
<carter <at> qosient.com> wrote:
>Hey Earl,
>The changes between 2.x and 3.0 are rather extensive, and of
>course the 3.0 branch has a few bugs still, so a description of
>the
>actual changes that impact directionality is probably a bit
>premature.
>
>I can say, however, what we're trying to achieve.  Argus, from v
>0.9-2.x,
>has tried very hard to determine the originator of a flow, so that
>for
>protocols such as UDP/TCP, the destination port number would
>represent
>the actual service port number of the flow.  This has worked well,
>in
>both
>symmetric and asymmetric routing networks, but it can be fooled by
>stealthy scan methods (TCP syn_ack and some rare RST
>scans can be reported to be going in the opposite direction).
>
(Continue reading)

Carter Bullard | 11 Sep 18:40 2006

Re: Re: argus 3.0.0 rc.28 memory leaks

Hey Gabriel,
So, ....,  I've added the concepts from your patch to argus, however,
there are a number of things that you are suggesting that are not
workable.   So, we'll need to test the new rc.29, which I should have
up on the server later today,  to see if it solves your memory
problem.

In particular, in your attempt to deallocate all dynamically allocated
memory in "ArgusCloseSource()", "ArgusCloseModeler()" and
"ArgusCloseOutput()", you delete some memory that is used later on in
the closing sequences.  I have moved these around, and it seems to be
working as you intended.

I did add an ArgusInitMallocList() and ArgusDeleteMallocList()  
method, in
place of your ArgusInitRecordAllocator(), not a big deal, and I added
object typing to ArgusDeleteList(), to clean up your suggestions for  
doing
the right thing based on what is in the list.

You had a /* FIXME: ... */  comment in ArgusCloseModeler(), where you
ask, "we're shutting down, so why push another record onto the list ?  
---".
This record is the ARGUS_STOP management record that will be written
to all the attached clients and/or written to the output files, and  
is the trigger
for closing all the output sockets that argus is maintaining.  So  
this is very
important.

(Continue reading)

Carter Bullard | 11 Sep 22:22 2006

new argus and clients rc.29 on the server

Gentle people,
A new set of release candidates rc.29 has been uploaded to the  
development
directory on the server in:

    ftp://qosient.com/dev/argus-3.0

This set corrects a potential memory leak, many directionality  
problems, and
adds new logic to the clients for filtering, printing, sorting, etc.....
Please give this set a round of testing, if possible.

There are only a few known problems that I am still working on, which  
include
an alignment problem on HP Superdomes (big 64-bit machine) for the  
client
distribution, and Solaris filter syntax errors (also 64-bit  
related, ...,  we think).
I'm hoping that we are on the last leg and almost ready for an  
official argus-3.0
release.

Opinions?

Carter

Carter Bullard | 11 Sep 22:28 2006

Re: Patch for ragraph

Hey Andrew,
    I've added the suggested changes to ragraph.pl in Argus-3.0.
Carter

On Aug 26, 2006, at 12:21 AM, Andrew Pollock wrote:

> Hi,
>
> I recently received a patch for ragraph to add -debug and -comment  
> switches.
>
> The patch can be found at
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=381302
>
> regards
>
> Andrew
>

Christopher Jones | 12 Sep 00:49 2006
Picon

3.0 and top talkers

All,

I know that 3.0 is in beta and therefore the Argus client
implementation is in flux.  Is there a way in 3.0 to get the top
talkers like in 2.0.6 where ramon can be used with rasort to get the
top receivers or senders?  If this coming soon to 3.0, any ideas when?

Thanks,

Chris


Gmane