[flow-tools] some bugs in flow-tools-0.58

Mark Fullmer maf@eng.oar.net
Sat, 15 Jun 2002 16:48:33 -0400 

This will fix the src/dst addr reversal problem.  It may fix the ip-address
filter-primitive (there was a bzero() fed the wrong size).

The start time filter looks okay.  What's probably happening is you're
using relative time values.

filter-primitive shift
  type time
  permit gt 1:00
  permit lt 2:00

filter-definition test1
  match start-time shift

For example

% flow-cat <yesterday's flows> | flow-filter -Ftest1 | flow-print

gt 1:00 is really "Greater than 1:00 today" - fail
lt 2:00 is really "Less than 2:00 today" - pass

The primitive permit lines are OR'd so the primitive will pass.

Rewriting this as

filter-primitive shift1
  type time
  permit gt 1:00

filter-primitive shift2
  type time
  permit lt 2:00

filter-definition test1
  match start-time shift1
  match start-time shift2

will generate correct results -- no flows.  Using absolute time values
produces expected results.

If this still core dumps can you send me a backtrace.

Index: ftfil.c
===================================================================
RCS file: /usr/home/djnz-cvsroot/flow-tools/lib/ftfil.c,v
retrieving revision 1.2
diff -r1.2 ftfil.c
1810c1810
<   dst_ip_addr = ((u_int32*)(rec+fo->srcaddr));
---
>   dst_ip_addr = ((u_int32*)(rec+fo->dstaddr));
2036c2036
<   bzero(ftfil, sizeof (struct ftfil));
---
>   bzero(ftfil, sizeof *ftfil);
2417c2417
<   bzero(ftfd, sizeof (struct ftfil_primitive));
---
>   bzero(ftfd, sizeof *ftfd);
3649c3649
<   bzero(ftfp, sizeof (struct ftfil_primitive));
---
>   bzero(ftfp, sizeof *ftfp);


On Fri, Jun 14, 2002 at 02:20:33PM +0800, Horatio B. Bogbindero wrote:
> 
> 
> i did some tests on flow-tools-0.58. basically, what i did was compare 
> the results of the regular flow-filter, flow-cidr (Inter.netPH) with flow-nfilter.
> 
> -flow-tags documentation says tag symbols are in /var/ft/sym/tags (0.57
> location) but the file is now /var/ft/sym/tag (0.58 location)
> -using the filter-primitive ip-address causes flow-nfilter to core dump
> -"match dst-ip-addr" yields the same results as "match src-ip-addr". i
> did a quick check on the lib/ftfil.c source but have not traced the problem
> yet.
> -the time field using:
> 
> filter-primitive shift
>   type time
>   permit gt 1:00
>   permit lt 2:00
> 
> yields the same result as:
> 
> filter-primitive shift
>   type time
>   permit gt 1:00
>   permit lt 23:00
> 
> based on my data this should not be the case. the result is the same as if 
> there was no time filter at all. i used flow-stat to compare the byte counts.
> 
> fyi.
> 
> 
> -------------------------------------------
> William Emmanuel S. Yu
> Ateneo Campus Network Group (AteneoCNG)
> email  :  wyu at ateneo dot edu
> web    :  http://CNG.ateneo.net/wyu/
> phone  :  +63(2)4266001-4186
> GPG    :  http://CNG.ateneo.net/wyu/wyy.pgp
> 
> 
> _______________________________________________
> flow-tools@splintered.net
> http://www.splintered.net/sw/flow-tools