Hi, this is QA again ;) attached is a tiny little patch to fix the offsets of the proto indicator flags. >From what I've seen, there is still a lot of flag generation code missing. I've not started to fill the gaps, because I don't know if there is already ongoing work on that. Cheers, Phil
What is the problem that you are fixing? Carter Carter Bullard QoSient LLC 150 E. 57th Street Suite 12D New York, New York 10022 +1 212 588-9133 Phone +1 212 588-9134 Fax -----Original Message----- From: "Philipp E. Letschert" <phil <at> uni-koblenz.de> Date: Fri, 1 Dec 2006 02:22:11 To:argus-info <at> lists.andrew.cmu.edu Subject: [ARGUS] rc.35 - ArgusGetIndicatorString() still incomplete Hi, this is QA again ;) attached is a tiny little patch to fix the offsets of the proto indicator flags. >From what I've seen, there is still a lot of flag generation code missing. I've not started to fill the gaps, because I don't know if there is already ongoing work on that. Cheers, Phil
The ra man page gives the following possibilities for the proto indicator flag:
T - Time Corrected/Adjusted
M - Multiple physical layer paths
m - MPLS encapsulated flow
p - PPP over Enternet encapsulated flow
v - VLAN encapsulations/tags
G - GRE encapsulations/tags
I - ICMP events mapped to this flow
U - ICMP Unreachable event mapped to this flow
R - ICMP Redirect event mapped to this flow
T - ICMP Time Exceeded mapped to this flow
V - Fragment overlap seen
f - Partial Fragment
F - Fragments seen
O - multiple IP options set
S - IP option Strict Source Route
L - IP option Loose Source Route
T - IP option Time Stamp
+ - IP option Security
R - IP option Record Route
A - IP option Router Alert
U - unknown IP options set
* - Both Src and Dst TCP retransmissions
s - Src TCP packet retransmissions
d - Dst TCP packet retransmissions
& - Both Src and Dst packet out of order
i - Src TCP packets out of order
r - Dst TCP packets out of order
@ - Both Src and Dst Window Closure
(Continue reading)
that did it, thx much!
On 11/22/06, Philipp E. Letschert <phil <at> uni-koblenz.de> wrote:
> make tries to install a man page that doesnt exist.
>
> just edit the toplevel Makefile, and delete the following line:
>
> $(INSTALL) -m 0644 $(srcdir)/man/man5/rarc.5 ${prefix}/man/man5/rarc.5
>
>
>
> On Tue, Nov 21, 2006 at 10:33:57PM -0800, Dustin wrote:
> > That's resolved, thx! Have a new one though, this time installing the
> > server:
> >
> > /usr/bin/install -c -m 0755 ./bin/argusbug /usr/local/bin/argusbug
> > [ -d /usr/local/man ] || \
> > (mkdir -p /usr/local/man; chmod 755 /usr/local/man)
> > [ -d /usr/local/man/man1 ] || \
> > (mkdir -p /usr/local/man/man1; chmod 755 /usr/local/man/man1)
> > [ -d /usr/local/man/man5 ] || \
> > (mkdir -p /usr/local/man/man5; chmod 755 /usr/local/man/man5)
> > [ -d /usr/local/man/man8 ] || \
> > (mkdir -p /usr/local/man/man8; chmod 755 /usr/local/man/man8)
> > /usr/bin/install -c -m 0644 ./man/man5/argus.5 /usr/local/man/man5/argus.5
> > /usr/bin/install -c -m 0644 ./man/man5/argus.conf.5
> > /usr/local/man/man5/argus.conf.5
> > /usr/bin/install -c -m 0644 ./man/man5/rarc.5 /usr/local/man/man5/rarc.5
> > /usr/bin/install: cannot stat `./man/man5/rarc.5': No such file or directory
> > make: *** [install] Error 1
(Continue reading)
Hey people,
While 3.x version is not released yet, I would like to see most of the
man pages are ready at least. I can't find man page for ragrep, and
from the name it sounds like giving option to grep the record with
certain fields that specied using regex. I don't know what is right as
it doesn't tell what it is used for and I hardly see anyone mention it
in the mailing list either. Thanks.
Now I know how to use rastrip efficienctly at least with Carter's explanation. Thanks.
--
Best Regards,
CS Lee<geekooL[at]gmail.com>
Hi, I have written a man page for ragrep. Please find it attached to this email for review and inclusion in the argus-clients distribution. If I am in the mood, I will make a man page for rastrip later that day. Bye, Philipp On Sun, Dec 03, 2006 at 03:49:15PM +0800, CS Lee wrote: > Hey people, > > While 3.x version is not released yet, I would like to see most of the man > pages are ready at least. I can't find man page for ragrep, and from the > name it sounds like giving option to grep the record with certain fields > that specied using regex. I don't know what is right as it doesn't tell what > it is used for and I hardly see anyone mention it in the mailing list > either. Thanks. > > Now I know how to use rastrip efficienctly at least with Carter's > explanation. Thanks. > > -- > Best Regards, > > CS Lee<geekooL[at]gmail.com>
Hey people,
While reading ra -b output, I come across this -
ra -b - tcp
(000) ldb [142]
(001) and #31
(002) jeq
#0x1
jt 3 jf 5
(003) ldb [152]
(004) jeq
#0x6
jt 8 jf 9
(005) jeq
#0x2
jt 6 jf 9
(006) ldb [179]
(007) jeq
#0x6
jt 8 jf 9
(008) ret #96
(009) ret #0
While this seems not so complicated, however is there any reference of
argus data format that I can refer such as the one shown in tcpdump -d
which the correctness of filter can be confirmed by looking at the
packet headers.
Thanks.
--
Best Regards,
CS Lee<geekooL[at]gmail.com>
Hello people,
Thanks for ragrep man page, ragrep works now by capturing user data
bytes, with this I'm confused since it says user data bytes, if I
specify -U 60, the capture will start on application layer or network
layer? I know the mac data can be captured as well but my concern now
on the payloads and that's what I think ragrep is used for.
Sorry if I'm asking too many questions, but I need to know exactly to
specify the better value for user data bytes to be captured.
Thanks again.
--
Best Regards,
CS Lee<geekooL[at]gmail.com>
The capture starts in application layer (= user data). Another thing to remind is, that the maximum capture size seems to be 32 byte, that is 16 byte each for source and destination. Philipp On Mon, Dec 04, 2006 at 09:58:04AM +0800, CS Lee wrote: > Hello people, > > Thanks for ragrep man page, ragrep works now by capturing user data bytes, > with this I'm confused since it says user data bytes, if I specify -U 60, > the capture will start on application layer or network layer? I know the mac > data can be captured as well but my concern now on the payloads and that's > what I think ragrep is used for. > > Sorry if I'm asking too many questions, but I need to know exactly to > specify the better value for user data bytes to be captured. > > Thanks again. > > -- > Best Regards, > > CS Lee<geekooL[at]gmail.com> -- -- /-\ C oo "Das beste Werkzeug wird zum Tand in eines tumben Toren Hand." _( ^) Daniel Düsentrieb / -\
RSS Feed29 | |
|---|---|
91 | |
52 | |
17 | |
30 | |
15 | |
39 | |
49 | |
61 | |
66 | |
82 | |
48 | |
52 | |
27 | |
42 | |
35 | |
72 | |
78 | |
48 | |
102 | |
50 | |
23 | |
61 | |
40 | |
50 | |
26 | |
32 | |
72 | |
48 | |
55 | |
115 | |
66 | |
36 | |
92 | |
122 | |
116 | |
58 | |
26 | |
15 | |
3 | |
3 | |
24 | |
38 | |
50 | |
62 | |
6 | |
61 | |
90 | |
151 | |
121 | |
67 | |
61 | |
120 | |
107 | |
143 | |
44 | |
91 | |
68 | |
82 | |
141 | |
123 | |
69 | |
50 | |
79 | |
113 | |
114 | |
131 | |
96 | |
270 | |
4 | |
4 | |
40 | |
31 | |
24 | |
14 | |
2 | |
1 | |
8 | |
25 | |
1 | |
14 | |
5 | |
25 | |
24 | |
33 | |
12 | |
41 | |
33 | |
35 | |
48 | |
95 | |
45 | |
79 | |
87 | |
84 | |
17 | |
62 | |
14 | |
28 | |
14 | |
15 | |
38 | |
60 | |
28 | |
31 | |
48 | |
24 | |
39 | |
18 | |
29 | |
26 | |
41 | |
47 | |
18 | |
14 | |
23 | |
20 | |
92 | |
29 | |
56 | |
47 | |
33 | |
18 | |
91 | |
58 | |
49 | |
15 | |
49 | |
109 | |
52 | |
39 | |
99 | |
134 | |
123 | |
26 | |
59 | |
72 | |
143 | |
44 | |
81 | |
20 | |
12 | |
11 | |
63 | |
22 | |
8 | |
1 | |
6 | |
15 | |
3 | |
9 | |
12 | |
7 | |
16 | |
28 | |
9 |
