[maf@eng.oar.net: Re: [flow-tools] some bugs in flow-tools-0.58]

Horatio B. Bogbindero wyy@admu.edu.ph
Mon, 17 Jun 2002 09:51:36 +0800 

This message is in MIME format.

---MOQ10242786968deaa4ae5a46904968ecae532cba37fa
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit


> 
> This will fix the src/dst addr reversal problem.  It may fix the ip-address
> filter-primitive (there was a bzero() fed the wrong size).
> 
the patch fixed the dst/src problem. however, it did not fix the segmentation
fault problem. pardon my ignorance but how do i get a backtrace in C? java
automagically traces. hehehe. 

although, attached is the last thing i saw when running gdb. it is not much
but at least we can see were it did a segmentation fault. although, the queer
thing is that there was no core dump.

> The start time filter looks okay.  What's probably happening is you're
> using relative time values.
> 
> filter-primitive shift
>   type time
>   permit gt 1:00
>   permit lt 2:00
> 
> filter-definition test1
>   match start-time shift
> 
> For example
> 
> % flow-cat <yesterday's flows> | flow-filter -Ftest1 | flow-print
> 
> gt 1:00 is really "Greater than 1:00 today" - fail
> lt 2:00 is really "Less than 2:00 today" - pass
> 
> The primitive permit lines are OR'd so the primitive will pass.
> 
> Rewriting this as
> 
> filter-primitive shift1
>   type time
>   permit gt 1:00
> 
> filter-primitive shift2
>   type time
>   permit lt 2:00
> 
> filter-definition test1
>   match start-time shift1
>   match start-time shift2
> 
> will generate correct results -- no flows.  Using absolute time values
> produces expected results.
> 
cripes! so that is what it does. how do i do a get all flows from 1:00 - 4:00
on all the flows. i need this for our billing systems that divides usage by
shifts. that particular 1:00-4:00am is cheap time. however, is it possible
to remove that 1:00 today to 1:00 anyday?

btw, i tested the other options (port, ips and etc) already except the AS
related ones since my test router here does not have a BGP table. but, i
supposed those work already.

thanks and keep up the good work!

> If this still core dumps can you send me a backtrace.
> 
> Index: ftfil.c
> ===================================================================
> RCS file: /usr/home/djnz-cvsroot/flow-tools/lib/ftfil.c,v
> retrieving revision 1.2
> diff -r1.2 ftfil.c
> 1810c1810
> <   dst_ip_addr = ((u_int32*)(rec+fo->srcaddr));
> ---
> >   dst_ip_addr = ((u_int32*)(rec+fo->dstaddr));
> 2036c2036
> <   bzero(ftfil, sizeof (struct ftfil));
> ---
> >   bzero(ftfil, sizeof *ftfil);
> 2417c2417
> <   bzero(ftfd, sizeof (struct ftfil_primitive));
> ---
> >   bzero(ftfd, sizeof *ftfd);
> 3649c3649
> <   bzero(ftfp, sizeof (struct ftfil_primitive));
> ---
> >   bzero(ftfp, sizeof *ftfp);
> 
> 
> On Fri, Jun 14, 2002 at 02:20:33PM +0800, Horatio B. Bogbindero wrote:
> >
> >
> > i did some tests on flow-tools-0.58. basically, what i did was compare
> > the results of the regular flow-filter, flow-cidr (Inter.netPH) with
> flow-nfilter.
> >
> > -flow-tags documentation says tag symbols are in /var/ft/sym/tags (0.57
> > location) but the file is now /var/ft/sym/tag (0.58 location)
> > -using the filter-primitive ip-address causes flow-nfilter to core dump
> > -"match dst-ip-addr" yields the same results as "match src-ip-addr". i
> > did a quick check on the lib/ftfil.c source but have not traced the
> problem
> > yet.
> > -the time field using:
> >
> > filter-primitive shift
> >   type time
> >   permit gt 1:00
> >   permit lt 2:00
> >
> > yields the same result as:
> >
> > filter-primitive shift
> >   type time
> >   permit gt 1:00
> >   permit lt 23:00
> >
> > based on my data this should not be the case. the result is the same as
> if
> > there was no time filter at all. i used flow-stat to compare the byte
> counts.
> >
> > fyi.
> >

-------------------------------------------
William Emmanuel S. Yu
Ateneo Campus Network Group (AteneoCNG)
email  :  wyu at ateneo dot edu
web    :  http://CNG.ateneo.net/wyu/
phone  :  +63(2)4266001-4186
GPG    :  http://CNG.ateneo.net/wyu/wyy.pgp


---MOQ10242786968deaa4ae5a46904968ecae532cba37fa
Content-Type: text/plain; name="trace.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="trace.txt"

KGdkYikgciAtZnRlc3QuZmlsdGVyIC1Gc2hpZnQ2dG8xNS10aW1lIC9kYXRhLzE5Mi4xNjguMjAw
LjIwMi8yMDAyLzIwMDItMDUvMjAwMi0wNS0xNy9mdC12MDUuMjAwMi0wNS0xNy4yMzQ1MDErMDgw
MCAKU3RhcnRpbmcgcHJvZ3JhbTogL2hvbWUvd3l5L2NvbXBpbGUvZmxvdy10b29scy0wLjU4LWRl
di8uL3NyYy9mbG93LW5maWx0ZXIgLWZ0ZXN0LmZpbHRlciAtRnNoaWZ0NnRvMTUtdGltZSAvZGF0
YS8xOTIuMTY4LjIwMC4yMDIvMjAwMi8yMDAyLTA1LzIwMDItMDUtMTcvZnQtdjA1LjIwMDItMDUt
MTcuMjM0NTAxKzA4MDAKClByb2dyYW0gcmVjZWl2ZWQgc2lnbmFsIFNJR1NFR1YsIFNlZ21lbnRh
dGlvbiBmYXVsdC4KMHgwODA2ODM1NSBpbiBmdGNoYXNoX2xvb2t1cCAoZnRjaD0weDgxMWFkODgs
IGtleT0weGJmZmZmNDI0LCBoYXNoPTUxMjk1KQogICAgYXQgZnRjaGFzaC5jOjE0NAoxNDQgICAg
ICAgRlRfU0xJU1RfRk9SRUFDSChyZWMsIGJoZWFkLCBjaGFpbikgewo=

---MOQ10242786968deaa4ae5a46904968ecae532cba37fa--