[nycbug-talk] pcs issues

Jesse Callaway bonsaime at gmail.com
Thu Jun 21 19:30:23 EDT 2012


On Jun 21, 2012 5:33 PM, "Mark Saad" <mark.saad at ymail.com> wrote:
>
> On Thu, Jun 21, 2012 at 5:29 PM, Mark Saad <nonesuch at longcount.org> wrote:
> > On Thu, Jun 21, 2012 at 4:10 PM, George Neville-Neil
> > <gnn at neville-neil.com> wrote:
> >>
> >> On Jun 21, 2012, at 15:36 , Nikolai Fetissov wrote:
> >>
> >>>> All
> >>>> I was testing out some of the examples from the pcs talk last month,
> >>>> and I am running into some errors. I wanted to see if anyone could
> >>>> shed some light on this.
> >>>>
> >>>> Here is what I did
> >>>>
> >>>>
> >>>> root at nymirror1:/usr/local/share/examples/pcs # python ddos_analyze.py
> >>>> -f /usr/local/pcap-logs/26-nybweb1.pcap -m 25 -s 255.255.255.0 -n
> >>>> 10.12.13.0
> >>>> Traceback (most recent call last):
> >>>>  File "ddos_analyze.py", line 105, in <module>
> >>>>    main()
> >>>>  File "ddos_analyze.py", line 87, in main
> >>>>    if (ip.src & mask) != network:
> >>>>  File "/usr/local/lib/python2.7/site-packages/pcs/__init__.py", line
> >>>> 1061, in __getattribute__
> >>>>    return object.__getattribute__(self, name)
> >>>> AttributeError: 'arp' object has no attribute 'src'
> >>>>
> >>>>
> >>>> I am using python 2.7.3,  I had the same results with 2.6.6,  on
> >>>> FreeBSD 9-STABLE amd64 .
> >>>>
> >>>>
> >>>> The pcap file was created this way
> >>>>
> >>>> tcpdump -i igb1 -s 1500 -w /usr/local/pcap-logs/26-nybweb1.pcap
> >>>>
> >>>
> >>> Restict the capture with "proto ip"?
> >>
> >> Yup, that works, or you can do hack the code to ignore anything not ip:
> >>
> >> if type(packet.data) != ipv4:
> >>        continue
> >>
> >> Since these are all objects you can do object type comparisons.
> >>
> >> Best,
> >> George
> >>
> >> _______________________________________________
> >> talk mailing list
> >> talk at lists.nycbug.org
> >> http://lists.nycbug.org/mailman/listinfo/talk
> >
> > That worked  george, also it appears that the script bombs out if you
> > tell it to show you the top N hosts in a pcap if there are only <N
> > hosts in the pcap file.  That was part of my issue.
> >
> >
> >
> >
> > --
> > mark saad | nonesuch at longcount.org
>
>
>
> That worked  George, also it appears that the script bombs out if you
> tell it to show you the top N hosts in a pcap if there are only <N
> hosts in the pcap file.  That was part of my issue.
>
> --
>
> Mark Saad | mark.saad at ymail.com
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk

Glad it worked out! Just wanted to put in my favorite snaplen option.
Setting it to -s0 is my favorite both because its shorter to type and it
grabs the whole frame no matter what.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20120621/c585a168/attachment.html>


More information about the talk mailing list