Re: GRE traffic missing

Re: racluster exits

Hey Torbjörn,
I have made a number of changes to fix your racluster() problem,
and did find a bug,  so we may have a reasonable solution.
Fixes to correction, and idle time calculation.

I will hopefully have the new code up tonight or early tomorrow.

Hope all is well,

Carter

On Dec 28, 2007, at 8:36 AM, Torbjorn.Wictorin <at> its.uu.se wrote:

> Hi Cartel et al,
>
> I have a configuration with a number of argus:es (half-duplex sensors,
> multiple paths) connected together via radium.
> Output from radium is piped(|) to racluster:
>
> radium -w - -S 127.0.0.1:561 ... -e 1000 -T yes | racluster -w  
> argus.log
>
> racluster.conf:
> RACLUSTER_AUTO_CORRECTION=yes
> filter="" model="saddr sport daddr dport proto" status=0 idle=900
>
> The problem is that racluster exits after some time, after eating up  
> memory, not writing anything to argus.log before it decides to exit.
>
> Looks like racluster needs some flush-trigger. Have I misunderstood  
> something?
>
> latest clients: 3.0.0.rc.66
>
> Torbjörn Wictorin,
> Uppsala Univ

Bytes exchange within endpoints for traffic identification

new code on the server, clients-rc.67 and argus

Gentle people,
I have made a large number of bug fixes, some of which are really
significant, in that they fix major instability bugs in argus and the  
clients.

I have a new argus-3.0.0.tar.gz and argus-clients-3.0.0.rc.67.tar.gz in:

    ftp://qosient.com/dev/argus-3.0

I have fixed many of the issues on the mailing list as well, including:
    802.11 wlan support for argus
    fixed GRE parsing where failure to parse an encapsulation didn't  
revert to
       earlier encapsulation for formulating flow key
    racluster() exiting issues with custom rules
    fix for default printing fields without .rarc file to include sport
    printing the icmp id field in icmp flows
    fixed ratop() thread issues
    fixed reliable connection problems with ra* clients
    possible fix for racluster() core dumps

I have not fixed errors in printing country codes yet, still waiting for
test data.

Hope all is most excellent, and thanks for all the effort!!!!

Carter

Re: Printing Country Codes

Hey Pablo,
Here is a fix for our country code printing problem.  I suspect that  
you're
on a modern 64-bit machine (or 64-bit capable), as I saw this on my
Intel Duo Core whatever Linux RedHat machine.   Seems that there
is a really bizarre compiler bug dealing with bit shifting operators and
32-bit values, at least thats what it looks like to me.

Didn't see this problem on my G5 or earlier Intel machines.

Replace the ./common/argus_client.c file with the one included in
this email, recompile and give it a try.   Lots of changes, and didn't
know if you were comfortable with patch.1.

If its cool I'll put it up on the server today.

Carter

>>
>> On Dec 29, 2007, at 1:04 PM, Pablo.Rebollo <at> ece.uprm.edu wrote:
>>> Hi,
>>>
>>> I was testing country codes feature and found that isn't working  
>>> properly.
>>> Here is an example:
>>>
>>> root <at> nsm:~# ralabel -n -S localhost -T 1 -s sco dco saddr sport  
>>> daddr
>>> dport - udp and port domain
>>> sCo dCo            SrcAddr  Sport            DstAddr  Dport
>>> EU  EU    136.145.115.194.48782        136.145.57.3.53
>>> EU  SE       136.145.57.3.35421      194.146.106.42.53
>>> EU           136.145.57.3.35421          137.39.1.3.53
>>> EU  PT       136.145.57.3.35421        193.136.7.17.53
>>> EU  NL       136.145.57.3.35421      193.239.90.130.53
>>> EU  RU       136.145.57.3.35421         194.67.57.4.53
>>> EU           136.145.57.3.35421      63.209.144.178.53
>>> FR  EU     193.252.149.16.32780        136.145.57.3.53
>>>    EU      216.40.221.10.1029         136.145.58.3.53
>>> ...
>>> ...
>>>
>>> I found the following:
>>>
>>> 1) Network 136.145.0.0/16 has been associated to EU and not to PR.
>>> 2) Network 137.39.0.0/16 hasn't been associated to US.
>>> 3) Network 63.208.0.0/13 hasn't been associated to US.
>>> 4) Network 216.40.192.0/18 hasn't been associated to US.
>>>
>>> I ran ragetcountrycodes.sh to generate a new delegated-ipv4-latest  
>>> file
>>> and got the same results.
>>>
>>> Best regards,
>>>
>>> Pablo J. Rebollo
>>>
>>> ----
>>>> From delegated-ipv4-latest:
>>> delegated-arin-latest:arin|PR|ipv4|136.145.0.0|65536|19890829| 
>>> assigned
>>> delegated-arin-latest:arin|US|ipv4|137.39.0.0|65536|19891025| 
>>> assigned
>>> delegated-arin-latest:arin|US|ipv4|63.208.0.0|524288|19990528| 
>>> allocated
>>> delegated-arin-latest:arin|US|ipv4|216.40.192.0|16384|20001005| 
>>> allocated
>>>
>>>
>

Re: Printing Country Codes

Carter,

Now Argus is able to associate networks correctly.  I'm using and old 
Dell Precision 360 with a P4 3.2 GHz for testing.  I will perform more 
tests over the weekend.

Best regards,

Pablo J. Rebollo

Carter Bullard wrote:
> Hey Pablo,
> Here is a fix for our country code printing problem.  I suspect that you're
> on a modern 64-bit machine (or 64-bit capable), as I saw this on my
> Intel Duo Core whatever Linux RedHat machine.   Seems that there
> is a really bizarre compiler bug dealing with bit shifting operators and
> 32-bit values, at least thats what it looks like to me.
> 
> Didn't see this problem on my G5 or earlier Intel machines.
> 
> Replace the ./common/argus_client.c file with the one included in
> this email, recompile and give it a try.   Lots of changes, and didn't
> know if you were comfortable with patch.1.
> 
> If its cool I'll put it up on the server today.
> 
> Carter
> 
> 
> 
> 
> 
>>>
>>> On Dec 29, 2007, at 1:04 PM, Pablo.Rebollo <at> ece.uprm.edu wrote:
>>>> Hi,
>>>>
>>>> I was testing country codes feature and found that isn't working 
>>>> properly.
>>>> Here is an example:
>>>>
>>>> root <at> nsm:~# ralabel -n -S localhost -T 1 -s sco dco saddr sport daddr
>>>> dport - udp and port domain
>>>> sCo dCo            SrcAddr  Sport            DstAddr  Dport
>>>> EU  EU    136.145.115.194.48782        136.145.57.3.53
>>>> EU  SE       136.145.57.3.35421      194.146.106.42.53
>>>> EU           136.145.57.3.35421          137.39.1.3.53
>>>> EU  PT       136.145.57.3.35421        193.136.7.17.53
>>>> EU  NL       136.145.57.3.35421      193.239.90.130.53
>>>> EU  RU       136.145.57.3.35421         194.67.57.4.53
>>>> EU           136.145.57.3.35421      63.209.144.178.53
>>>> FR  EU     193.252.149.16.32780        136.145.57.3.53
>>>>    EU      216.40.221.10.1029         136.145.58.3.53
>>>> ...
>>>> ...
>>>>
>>>> I found the following:
>>>>
>>>> 1) Network 136.145.0.0/16 has been associated to EU and not to PR.
>>>> 2) Network 137.39.0.0/16 hasn't been associated to US.
>>>> 3) Network 63.208.0.0/13 hasn't been associated to US.
>>>> 4) Network 216.40.192.0/18 hasn't been associated to US.
>>>>
>>>> I ran ragetcountrycodes.sh to generate a new delegated-ipv4-latest file
>>>> and got the same results.
>>>>
>>>> Best regards,
>>>>
>>>> Pablo J. Rebollo
>>>>
>>>> ----
>>>>> From delegated-ipv4-latest:
>>>> delegated-arin-latest:arin|PR|ipv4|136.145.0.0|65536|19890829|assigned
>>>> delegated-arin-latest:arin|US|ipv4|137.39.0.0|65536|19891025|assigned
>>>> delegated-arin-latest:arin|US|ipv4|63.208.0.0|524288|19990528|allocated
>>>> delegated-arin-latest:arin|US|ipv4|216.40.192.0|16384|20001005|allocated 
>>>>
>>>>
>>>>
>>

Re: Printing Country Codes

Carter,

With the provided patch ra is printing country codes correctly.  Ralabel 
is giving odd results when using "-nnn". 

ralabel -r mydump.argus -s +sco +dco

     http://ece.uprm.edu/~pablor/ralabel.out

ralabel -nnnr mydump.argus -s +sco +dco

     http://ece.uprm.edu/~pablor/ralabel-nnn.out

Files differ on lines 16, 20, 27, and 28.

Ratop isn't categorizing IPs properly.

     http://ece.uprm.edu/~pablor/ratop.out

I got the same results by compiling argus clients on Ubuntu, OpenBSD, 
and Solaris.  I'm using the following example dump file.

     http://ece.uprm.edu/~pablor/country_codes_test.tar.gz

Best regards,

Pablo J. Rebollo

Pablo J. Rebollo-Sosa wrote:
> Carter,
>
> Now Argus is able to associate networks correctly.  I'm using and old 
> Dell Precision 360 with a P4 3.2 GHz for testing.  I will perform more 
> tests over the weekend.
>
> Best regards,
>
> Pablo J. Rebollo
>
> Carter Bullard wrote:
>> Hey Pablo,
>> Here is a fix for our country code printing problem.  I suspect that 
>> you're
>> on a modern 64-bit machine (or 64-bit capable), as I saw this on my
>> Intel Duo Core whatever Linux RedHat machine.   Seems that there
>> is a really bizarre compiler bug dealing with bit shifting operators and
>> 32-bit values, at least thats what it looks like to me.
>>
>> Didn't see this problem on my G5 or earlier Intel machines.
>>
>> Replace the ./common/argus_client.c file with the one included in
>> this email, recompile and give it a try.   Lots of changes, and didn't
>> know if you were comfortable with patch.1.
>>
>> If its cool I'll put it up on the server today.
>>
>> Carter
>>
>>
>>
>>
>>
>>>>
>>>> On Dec 29, 2007, at 1:04 PM, Pablo.Rebollo <at> ece.uprm.edu wrote:
>>>>> Hi,
>>>>>
>>>>> I was testing country codes feature and found that isn't working 
>>>>> properly.
>>>>> Here is an example:
>>>>>
>>>>> root <at> nsm:~# ralabel -n -S localhost -T 1 -s sco dco saddr sport daddr
>>>>> dport - udp and port domain
>>>>> sCo dCo            SrcAddr  Sport            DstAddr  Dport
>>>>> EU  EU    136.145.115.194.48782        136.145.57.3.53
>>>>> EU  SE       136.145.57.3.35421      194.146.106.42.53
>>>>> EU           136.145.57.3.35421          137.39.1.3.53
>>>>> EU  PT       136.145.57.3.35421        193.136.7.17.53
>>>>> EU  NL       136.145.57.3.35421      193.239.90.130.53
>>>>> EU  RU       136.145.57.3.35421         194.67.57.4.53
>>>>> EU           136.145.57.3.35421      63.209.144.178.53
>>>>> FR  EU     193.252.149.16.32780        136.145.57.3.53
>>>>>    EU      216.40.221.10.1029         136.145.58.3.53
>>>>> ...
>>>>> ...
>>>>>
>>>>> I found the following:
>>>>>
>>>>> 1) Network 136.145.0.0/16 has been associated to EU and not to PR.
>>>>> 2) Network 137.39.0.0/16 hasn't been associated to US.
>>>>> 3) Network 63.208.0.0/13 hasn't been associated to US.
>>>>> 4) Network 216.40.192.0/18 hasn't been associated to US.
>>>>>
>>>>> I ran ragetcountrycodes.sh to generate a new delegated-ipv4-latest 
>>>>> file
>>>>> and got the same results.
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Pablo J. Rebollo
>>>>>
>>>>> ----
>>>>>> From delegated-ipv4-latest:
>>>>> delegated-arin-latest:arin|PR|ipv4|136.145.0.0|65536|19890829|assigned 
>>>>>
>>>>> delegated-arin-latest:arin|US|ipv4|137.39.0.0|65536|19891025|assigned
>>>>> delegated-arin-latest:arin|US|ipv4|63.208.0.0|524288|19990528|allocated 
>>>>>
>>>>> delegated-arin-latest:arin|US|ipv4|216.40.192.0|16384|20001005|allocated 
>>>>>
>>>>>
>>>>>
>>>

Argus with DAG card

Hello,

I have some trouble trying to get argus working with DAG card. I 
installed a dag-enabled libpcap0.9.7 and argus-3.0.0. Argus works fine 
with standard interface. But when I specified the DAG interface by the 
command: argus -i dag0 -w output.out it just exited and did nothing. 
Tcpdump seemed to work fine with the DAG.  tcpdump -i dag0 would show 
packets info on the screen with no problem.

It seems to me that since DAG card is not standard interface, argus 
doesn't recognize it but I don't know how to configure argus to accept 
it. Could anyone give me some help on this?

Thank you.

Lei

Re: Printing Country Codes

Hey Pablo,
I have made some changes that should fix these problems.
I've uploaded the new client code, but I didn't change the version
number yet, so if you would get the current rc.67 client distribution
and see if it does the right thing?

Thanks for all the help!!!!!!

Carter

On Jan 4, 2008, at 10:09 PM, Pablo J. Rebollo wrote:

> Carter,
>
> With the provided patch ra is printing country codes correctly.   
> Ralabel is giving odd results when using "-nnn".
> ralabel -r mydump.argus -s +sco +dco
>
>    http://ece.uprm.edu/~pablor/ralabel.out
>
> ralabel -nnnr mydump.argus -s +sco +dco
>
>    http://ece.uprm.edu/~pablor/ralabel-nnn.out
>
> Files differ on lines 16, 20, 27, and 28.
>
> Ratop isn't categorizing IPs properly.
>
>    http://ece.uprm.edu/~pablor/ratop.out
>
> I got the same results by compiling argus clients on Ubuntu,  
> OpenBSD, and Solaris.  I'm using the following example dump file.
>
>    http://ece.uprm.edu/~pablor/country_codes_test.tar.gz
>
> Best regards,
>
> Pablo J. Rebollo
>
>
> Pablo J. Rebollo-Sosa wrote:
>> Carter,
>>
>> Now Argus is able to associate networks correctly.  I'm using and  
>> old Dell Precision 360 with a P4 3.2 GHz for testing.  I will  
>> perform more tests over the weekend.
>>
>> Best regards,
>>
>> Pablo J. Rebollo
>>
>> Carter Bullard wrote:
>>> Hey Pablo,
>>> Here is a fix for our country code printing problem.  I suspect  
>>> that you're
>>> on a modern 64-bit machine (or 64-bit capable), as I saw this on my
>>> Intel Duo Core whatever Linux RedHat machine.   Seems that there
>>> is a really bizarre compiler bug dealing with bit shifting  
>>> operators and
>>> 32-bit values, at least thats what it looks like to me.
>>>
>>> Didn't see this problem on my G5 or earlier Intel machines.
>>>
>>> Replace the ./common/argus_client.c file with the one included in
>>> this email, recompile and give it a try.   Lots of changes, and  
>>> didn't
>>> know if you were comfortable with patch.1.
>>>
>>> If its cool I'll put it up on the server today.
>>>
>>> Carter
>>>
>>>
>>>
>>>
>>>
>>>>>
>>>>> On Dec 29, 2007, at 1:04 PM, Pablo.Rebollo <at> ece.uprm.edu wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I was testing country codes feature and found that isn't  
>>>>>> working properly.
>>>>>> Here is an example:
>>>>>>
>>>>>> root <at> nsm:~# ralabel -n -S localhost -T 1 -s sco dco saddr sport  
>>>>>> daddr
>>>>>> dport - udp and port domain
>>>>>> sCo dCo            SrcAddr  Sport            DstAddr  Dport
>>>>>> EU  EU    136.145.115.194.48782        136.145.57.3.53
>>>>>> EU  SE       136.145.57.3.35421      194.146.106.42.53
>>>>>> EU           136.145.57.3.35421          137.39.1.3.53
>>>>>> EU  PT       136.145.57.3.35421        193.136.7.17.53
>>>>>> EU  NL       136.145.57.3.35421      193.239.90.130.53
>>>>>> EU  RU       136.145.57.3.35421         194.67.57.4.53
>>>>>> EU           136.145.57.3.35421      63.209.144.178.53
>>>>>> FR  EU     193.252.149.16.32780        136.145.57.3.53
>>>>>>   EU      216.40.221.10.1029         136.145.58.3.53
>>>>>> ...
>>>>>> ...
>>>>>>
>>>>>> I found the following:
>>>>>>
>>>>>> 1) Network 136.145.0.0/16 has been associated to EU and not to  
>>>>>> PR.
>>>>>> 2) Network 137.39.0.0/16 hasn't been associated to US.
>>>>>> 3) Network 63.208.0.0/13 hasn't been associated to US.
>>>>>> 4) Network 216.40.192.0/18 hasn't been associated to US.
>>>>>>
>>>>>> I ran ragetcountrycodes.sh to generate a new delegated-ipv4- 
>>>>>> latest file
>>>>>> and got the same results.
>>>>>>
>>>>>> Best regards,
>>>>>>
>>>>>> Pablo J. Rebollo
>>>>>>
>>>>>> ----
>>>>>>> From delegated-ipv4-latest:
>>>>>> delegated-arin-latest:arin|PR|ipv4|136.145.0.0|65536|19890829| 
>>>>>> assigned
>>>>>> delegated-arin-latest:arin|US|ipv4|137.39.0.0|65536|19891025| 
>>>>>> assigned
>>>>>> delegated-arin-latest:arin|US|ipv4|63.208.0.0|524288|19990528| 
>>>>>> allocated
>>>>>> delegated-arin-latest:arin|US|ipv4|216.40.192.0|16384|20001005| 
>>>>>> allocated
>>>>>>
>>>>>>
>>>>
>
>

Re: question on getting argus work with DAG card

Try running argus with debug support on to see what it is doing with the
dag interface.

    % touch .devel .debug
    % ./configure;make clean;make

You should be looking at the ./configure output to see
which libpcap library is actually being used.  No guarantee that the
compiler is picking up the version that you installed.  There are
switches in the ./configure to specify what the search path
will be to find things.

Carter

On Jan 7, 2008, at 5:43 PM, Lei Wei wrote:

> Hello Carter,
>
> I've had some trouble to get argus working with DAG card for a while  
> and I wonder if you could give me some help.
>
> I installed the libpcap0.9.8 and compiled it with DAG-enabled. I  
> tested it with tcpdump and tcpdump could read data from the DAG  
> interface without problem. I also installed argus3.0. After I typed  
> "argus -i dag0 -w data", it outputs a 128bytes file but not growing.  
> When I use "ra -r data" to display it ,it shows:
>
> lwei <at> mexico$ ra -r data.out 16:11:13.117278    man   0      0      
> 19      1        0     856992   CON
>
> I guess argus didn't get any data from the DAG interface but I can't  
> figure out why. So I'd appreciate if you could give me any helpful  
> info about it.
>
> Thank you.
>
> Lei
>