[nycbug-talk] pcs issues

Mark Saad mark.saad at ymail.com
Thu Jun 21 17:32:19 EDT 2012 

On Thu, Jun 21, 2012 at 5:29 PM, Mark Saad <nonesuch at longcount.org> wrote:
> On Thu, Jun 21, 2012 at 4:10 PM, George Neville-Neil
> <gnn at neville-neil.com> wrote:
>>
>> On Jun 21, 2012, at 15:36 , Nikolai Fetissov wrote:
>>
>>>> All
>>>> I was testing out some of the examples from the pcs talk last month,
>>>> and I am running into some errors. I wanted to see if anyone could
>>>> shed some light on this.
>>>>
>>>> Here is what I did
>>>>
>>>>
>>>> root at nymirror1:/usr/local/share/examples/pcs # python ddos_analyze.py
>>>> -f /usr/local/pcap-logs/26-nybweb1.pcap -m 25 -s 255.255.255.0 -n
>>>> 10.12.13.0
>>>> Traceback (most recent call last):
>>>>  File "ddos_analyze.py", line 105, in <module>
>>>>    main()
>>>>  File "ddos_analyze.py", line 87, in main
>>>>    if (ip.src & mask) != network:
>>>>  File "/usr/local/lib/python2.7/site-packages/pcs/__init__.py", line
>>>> 1061, in __getattribute__
>>>>    return object.__getattribute__(self, name)
>>>> AttributeError: 'arp' object has no attribute 'src'
>>>>
>>>>
>>>> I am using python 2.7.3,  I had the same results with 2.6.6,  on
>>>> FreeBSD 9-STABLE amd64 .
>>>>
>>>>
>>>> The pcap file was created this way
>>>>
>>>> tcpdump -i igb1 -s 1500 -w /usr/local/pcap-logs/26-nybweb1.pcap
>>>>
>>>
>>> Restict the capture with "proto ip"?
>>
>> Yup, that works, or you can do hack the code to ignore anything not ip:
>>
>> if type(packet.data) != ipv4:
>>        continue
>>
>> Since these are all objects you can do object type comparisons.
>>
>> Best,
>> George
>>
>> _______________________________________________
>> talk mailing list
>> talk at lists.nycbug.org
>> http://lists.nycbug.org/mailman/listinfo/talk
>
> That worked  george, also it appears that the script bombs out if you
> tell it to show you the top N hosts in a pcap if there are only <N
> hosts in the pcap file.  That was part of my issue.
>
>
>
>
> --
> mark saad | nonesuch at longcount.org



That worked  George, also it appears that the script bombs out if you
tell it to show you the top N hosts in a pcap if there are only <N
hosts in the pcap file.  That was part of my issue.

-- 

Mark Saad | mark.saad at ymail.com

More information about the talk mailing list