[00:15:55] <erosen>	 drdee
[00:16:19] <erosen>	 can you help me with a udp-filter q?
[00:18:58] <ori-l>	 erosen: what's the q, on the off-chance that i could help?
[00:19:14] <erosen>	 just trying to get the ip filtering to work
[00:19:20] <erosen>	 but it seems to exit immediately
[00:19:29] <erosen>	 though it seems to be constructing the cidr filter correctly
[00:19:42] <erosen>	 zcat /a/squid/archive/zero/zero-dtac-thailand.log-20120919.gz | udp-filter -i 80.239.242.0/23
[00:20:06] <erosen>	 any ideas?
[00:21:22] <ori-l>	 well, the whole file is around 8 megs
[00:21:38] <ori-l>	 is the client ip the 4th field?
[00:21:45] <erosen>	 interesting
[00:22:39] <ori-l>	 zcat /a/squid/archive/zero/zero-dtac-thailand.log-20120919.gz | awk '{ print $5 }'
[00:22:56] <erosen>	 fifth (1-indexed) i think
[00:23:17] <ori-l>	 right
[00:23:34] <erosen>	 i've got another ip filtering tool which I'll check it with
[00:23:38] <ori-l>	 anyways, zcat /a/squid/archive/zero/zero-dtac-thailand.log-20120919.gz | awk '{ print $5 }' | grep ^80
[00:23:40] <ori-l>	 returns 0 results
[00:23:46] <erosen>	 gotcha
[00:23:46] <ori-l>	 i.e., nothing starting with 80.
[00:24:03] <ori-l>	 so that's why it's exiting immediately -- it's filtering the whole file and finding no results
[00:24:07] <erosen>	 yeah
[00:24:21] <erosen>	 awesome, new puzzle
[00:24:24] <erosen>	 thanks for the help
[00:24:31] <ori-l>	 no problem at all
[00:27:09] <ori-l>	 erosen: 80.239.242.0 seems to be an opera ip range
[00:27:28] <erosen>	 yeah
[00:27:34] <erosen>	 good point
[00:27:36] <erosen>	 I got confused
[00:27:44] <erosen>	 I'm actually attempting to filter out ip ranges
[00:27:45] <ori-l>	 well, opera has some kind of web accelerator proxy
[00:27:59] <erosen>	 corresponding to opera traffic
[00:30:49] <ori-l>	 oh
[00:30:59] <ori-l>	 it doesn't look like udp-filter has reverse-match capabilities
[00:31:09] <ori-l>	 short of just passing it a regex with a negation
[00:32:04] <ori-l>	 but in the course of glancing at the help, i did notice '-v' / '--verbose', which prints debug info, in case its behavior mystifies you in the future
[00:41:03] <erosen>	 ori-l: thanks for the tips. I actually have the set of correct cidr ranges, so I can manage
[00:41:08] <erosen>	 thanks again for looking around
[00:41:42] <ori-l>	 np
[04:32:58] <HaeB>	 hi
[04:33:08] <HaeB>	 is hue.analytics.wikimedia.org a public server?
[04:33:40] <ori-l>	 probably not; why?
[04:33:52] <HaeB>	 diederik sent me a link to a file on it
[04:33:57] <HaeB>	 but it seems to be missing dns entry
[04:34:26] <ori-l>	 what was the link?
[04:34:34] <ori-l>	 if the file isn't private, i could try to retrieve it
[04:34:44] <HaeB>	 http://hue.analytics.wikimedia.org/filebrowser/view/user/diederik/blog/temp_results/part-r-00000?file_filter=any
[04:39:08] <HaeB>	 if you could access it and forward it to tbayer at wikimedia.org, that would be awesome
[04:39:36] <ori-l>	 i'm trying to figure out where that machine is
[04:42:02] <Susan>	 http://analytics1001.wikimedia.org:81/
[04:42:05] <Susan>	 Interesting.
[04:43:12] <ori-l>	 HaeB: i can access it, thanks to Susan's link
[04:43:15] <ori-l>	 hang on
[04:44:36] <ori-l>	 HaeB: it requires authentication
[04:49:09] <HaeB>	 ori-l: hm, i dont think i have any credentials regarding kraken. do you have access ? can i social engineer you into sending me the file? ;)
[04:49:45] <HaeB>	 (that's kind of what diederik told me to do: "Let me know if you have issues in accessing kraken, just poke the team on IRC. " ;)
[04:49:46] <ori-l>	 i may have credentials somewhere, looking
[04:49:50] <HaeB>	 Susan: thanks
[04:49:54] <ori-l>	 i'm not part of the team
[04:50:02] <HaeB>	 i know
[04:50:13] <ori-l>	 the problem is that this is configured like a teeenager's secret treehouse hideout
[04:50:20] <Susan>	 teenager's
[04:50:32] <Susan>	 Also, I don't think teenager's have secret treehouse hideouts.
[04:50:40] * HaeB  chuckles

[04:50:51] <Susan>	 teenagers * D:
[04:50:56] <HaeB>	 consider it an exciting hacking challenge!
[04:51:21] <ori-l>	 HaeB: 0k, g1v3 m3 a f3w m1nut3s
[04:51:28] <ori-l>	 i'll get you your 0-day leakz
[05:01:22] <ori-l>	 HaeB: sent
[05:03:34] <HaeB>	 ori-l: thanks so much!
[05:03:48] <ori-l>	 no problem at all
[05:15:44] <ori-l>	 diederik: what is the thinking, exactly, behind fake URIs like http://hue.analytics.wikimedia.org/?
[05:16:02] <drdee>	 what do you mean fake?
[05:17:00] <ori-l>	 i mean as real as http://cool.awesome.ori.hello.myserver.wikimedia.org/
[05:17:35] <drdee>	 no they do work if you either connected from the wmf office or use the proxy server
[05:17:36] <ori-l>	 host names aren't especially useful if there's no way to resolve them
[05:18:22] <HaeB>	 drdee: ori-l just helped me to retrieve our christmas present from http://hue.analytics.wikimedia.org/filebrowser/view/user/diederik/blog/temp_results/part-r-00000?file_filter=any
[05:18:26] <ori-l>	 [vanadium:~]$ ping hue
[05:18:27] <ori-l>	 ping: unknown host hue
[05:18:27] <ori-l>	 [vanadium:~]$ ping hue.analytics.wikimedia.org
[05:18:28] <ori-l>	 ping: unknown host hue.analytics.wikimedia.org
[05:18:38] <HaeB>	 (i'm not in the office atm)
[05:19:39] <HaeB>	 drdee: ....thanks !! poring over it now...
[05:20:05] <drdee>	 HaeB, the URL's need more cleaning so we can talk about that next week
[05:20:39] <drdee>	 ori-l, i don't think we have had time to make the host names resolve from the internal network
[05:20:40] <HaeB>	 yes, i think i know what you mean
[05:21:00] <drdee>	 but they do work for the purpose they were created ;)
[05:21:58] <HaeB>	 but the packet loss issue was resolved, right, and this is the full sample (of pageviews including the caches), right?
[05:22:35] <HaeB>	 i.e. we can assume these numbers to be "real" in some sense
[05:22:42] <drdee>	 yes, although only from the 19th onwards IIRC
[05:22:54] <HaeB>	 ah ok
[05:23:02] <drdee>	 yes, they are real unless there is somewhere a problem we are not yet aware of :)