Re: Direction of src and dest

Hi Carter,   

I've recreated the scenario.  I'm sending you what might be useful.  Note that 
I FTP'd the file from 10.22.97.107 to 10.52.32.215

root <at> cpocts:/tmp# racount -r outfile - src host 10.52.32.215 and dst host 
10.22.97.107
racount   records     total_pkts     src_pkts       dst_pkts       
total_bytes        src_bytes          dst_bytes
    sum   3           174            66             108            
157624             4050               153574
root <at> cpocts:/tmp# racount -r outfile - dst host 10.52.32.215 and src host 
10.22.97.107
racount   records     total_pkts     src_pkts       dst_pkts       
total_bytes        src_bytes          dst_bytes
    sum   5           36             21             15             
2735               1360               1375

root <at> cpocts:/tmp# ra -r outfile - src host 10.52.32.215 and dst host 
10.22.97.107 -L0
         StartTime    Flgs   Proto      SrcAddr        Sport   Dir      
DstAddr        Dport  SrcPkts  DstPkts     SrcBytes     DstBytes State
   14:09:40.619797  e          tcp        10.52.32.215.ftp-da    ->        
10.22.97.107.igi-lm        4        3          328          182   FIN
   14:09:58.597238  e d        tcp        10.52.32.215.ftp-da    ->        
10.22.97.107.dbsa-l       62      105         3722       153392   FIN

root <at> cpocts:/tmp# ra -r outfile - dst host 10.52.32.215 and src host 
10.22.97.107 -L0
         StartTime    Flgs   Proto      SrcAddr        Sport   Dir      

Measuring traffic (confused by -M rmon parameter)

We'd like to measure the network traffic between two of our vlans.   We are 
quite confused by the -M rmon parameter.   In our example below, I sent 4 ping 
packets from one host to another.  Doing a simple ra and racount vs one with 
the -M rmon switch set, it looks like the one with the -M rmon is counting the 
packets twice.  Note how the timestamps of the packet transmission appears 
twice.

What would be the correct procedure?

Thanks

--robert

root <at> cpocts:/tmp# ra -r outfile - net 10.52.32.215/20 and net 10.22.97.10/20  -
L0
         StartTime    Flgs   Proto      SrcAddr        Sport   Dir      
DstAddr        Dport  SrcPkts  DstPkts     SrcBytes     DstBytes State
   14:35:54.112424  e         icmp        10.22.97.107          <->        
10.52.32.215               1        1           74           74   ECO
   14:35:55.114070  e         icmp        10.22.97.107          <->        
10.52.32.215               1        1           74           74   ECO
   14:35:56.114940  e         icmp        10.22.97.107          <->        
10.52.32.215               1        1           74           74   ECO
   14:35:57.116779  e         icmp        10.22.97.107          <->        
10.52.32.215               1        1           74           74   ECO
root <at> cpocts:/tmp# ra -M rmon -r outfile - net 10.52.32.215/20 and net 
10.22.97.10/20  -L0
         StartTime    Flgs   Proto         Host        Sport   Dir      
DstAddr        Dport  OutPkts   InPkts     OutBytes      InBytes State
   14:35:54.112424  e         icmp        10.22.97.107          <->        

Re: argus-3.0.0 segfault (5/23 version)

Hey Michael,
I'm expecting to read the resulting packet file back through argus using the "-r file" option, and it segfaulting.
Does it do that?
Carter

Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: Michael Hornung <hornung <at> cac.washington.edu>
Date: Thu, 31 May 2007 14:59:27 
To:carter <at> qosient.com
Cc:Argus <argus-info <at> lists.andrew.cmu.edu>
Subject: Re: [ARGUS] argus-3.0.0 segfault (5/23 version)

Are you expecting argus to reproduce the segfault by replaying it through 
argus by setting ARGUS_PACKET_CAPTURE_FILE in argus.conf?  I tried that 
(leaving the rest of the config the same) and the segfault does not happen 
again.  If the pcap will still be helpful to you, let me know and I'll put 
up the copy wiht sanitized IPs.

-Mike

On Thu, 24 May 2007 at 23:22, carter <at> qosient.com wrote:

|Hey Micheal,

Re: argus-3.0.0 segfault (5/23 version)

Hi Carter, no it doesn't.  Sort of.  Let me explain.

I haven't sent a pcap yet because my organization wants me to sanitize it 
before sending it along.  That is not something I've done before, but I 
found an API and a tool called "anontool" 
(http://www.ics.forth.gr/dcs/Activities/Projects/anontool.html) which 
seems to work.

Now here's the rub: when I send the original pcap I captured when the 
segfault was caught, back through argus using the "-r" option, it 
segfaults at a different point than when I was capturing off a NIC.  
That's ok, because it still segfaults and that should be passed along for 
debugging.  BUT when I pass the anonymized pcap through argus using "-r" 
it completes and does not throw an exception.  See below (I set the debug 
reporting to 1):

# gdb /usr/local/sbin/argus
(gdb) set args -r /tmp/segfault.pcap
(gdb) run
Starting program: /usr/local/sbin/argus -r /tmp/segfault.pcap
argus[17283]: 01 Jun 07 14:22:55.957899 ArgusParseResourceFile: 
ArgusFilter "" 
argus[17283]: 01 Jun 07 14:22:55.958569 ArgusParseResourceFile 
(/etc/argus.conf) returning
argus[17283]: 01 Jun 07 14:22:55.958965 setArgusInterfaceStatus(1)
argus[17283]: 01 Jun 07 14:22:55.981237 ArgusInitSource() returning
argus[17283]: 01 Jun 07 14:22:55.981711 ArgusInitOutput() done
argus[17283]: 01 Jun 07 14:22:55.982090 ArgusInitModeler() done
argus[17283]: 01 Jun 07 14:22:55.982560 setArgusInterfaceStatus(0)

Re: argus-3.0.0 segfault (5/23 version)

Oops, the lines:

(gdb) print ArgusMallocList->end->nxt
Cannot access memory at address 0xaa4ed9e8
(gdb) print mem
$1 = (struct ArgusMemoryHeader *) 0x94edc38

from the previous message are not accurate.  They're from a separate run 
which produced the segfault but have different values.

-Mike

On Fri, 1 Jun 2007 at 14:33, Michael Hornung wrote:

|Hi Carter, no it doesn't.  Sort of.  Let me explain.
|
|I haven't sent a pcap yet because my organization wants me to sanitize it 
|before sending it along.  That is not something I've done before, but I 
|found an API and a tool called "anontool" 
|(http://www.ics.forth.gr/dcs/Activities/Projects/anontool.html) which 
|seems to work.
|
|Now here's the rub: when I send the original pcap I captured when the 
|segfault was caught, back through argus using the "-r" option, it 
|segfaults at a different point than when I was capturing off a NIC.  
|That's ok, because it still segfaults and that should be passed along for 
|debugging.  BUT when I pass the anonymized pcap through argus using "-r" 
|it completes and does not throw an exception.  See below (I set the debug 
|reporting to 1):
|

Re: Measuring traffic (confused by -M rmon parameter)

Indeed, that is what the "-M rmon" mode does. It converts flow data to object data, which looks like a
doubling, if you misinterprete the data.  Until you have a bit more experience, use the "-M rmon" option
with aggregators, like racluster() and rabins().

   Compare racluster with and with the option:

   racluster -r outfile - net 10.52.32.215/20 and net 10.22.97.10/20  -
L0

   racluster -M rmon -m saddr -s stime dur saddr spkts dpkts sbytes dbytes -r outfile - net 10.52.32.215/20 and
net 10.22.97.10/20  -
L0

Carter


Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: Robert Leyba <r_leyba14 <at> yahoo.com>
Date: Fri, 1 Jun 2007 04:54:11 
To:argus-info <at> lists.andrew.cmu.edu
Subject: [ARGUS] Measuring traffic (confused by -M rmon parameter)

We'd like to measure the network traffic between two of our vlans.   We are 

rmon

Re: Measuring traffic (confused by -M rmon parameter)

OK, I will try it out with the racluster command and observe the differences, 

thanks.

Re: rmon

Hi CS,
    Thanks for the reply.  Honestly, still trying to dissect the concept of
flows ( and flow directions!)   Will google more of this.   At any rate, going
back to my original question, if we were to start measuring the traffic between
our two subnets would the syntax be:

root <at> cpocts:/tmp# racount -M rmon -r outfile - net 10.52.32.215/20 and net 
10.22.97.10/20  -L0

...or would it be the same command above but without the -M rmon parameter?

Basically we would want to measure ALL the data that flows between the subnets,
regardless of direction.

Thanks again

--robert

Re: Re: rmon

Hey Robert,
racount() is a very light weight aggregator, so not really the tool to use.
Try thinking racluster().

So how about:
   racluster -r file -m matrix/20

This will give you all the nets.
Carter

Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

-----Original Message-----
From: Robert Leyba <r_leyba14 <at> yahoo.com>

Date: Sat, 2 Jun 2007 07:32:28 
To:argus-info <at> lists.andrew.cmu.edu
Subject: [ARGUS] Re: rmon


Hi CS,
    Thanks for the reply.  Honestly, still trying to dissect the concept of
flows ( and flow directions!)   Will google more of this.   At any rate, going
back to my original question, if we were to start measuring the traffic between
our two subnets would the syntax be:

root <at> cpocts:/tmp# racount -M rmon -r outfile - net 10.52.32.215/20 and net 
10.22.97.10/20  -L0

...or would it be the same command above but without the -M rmon parameter?

Basically we would want to measure ALL the data that flows between the subnets,
regardless of direction.

Thanks again

--robert