strange argus records
Russell Fulton
r.fulton at auckland.ac.nz
Thu Apr 15 17:03:16 EDT 1999
On Thu, 15 Apr 1999 15:50:40 +0200 Alexander Bochmann
<bochmann at mupfel.infra.de> wrote:
> Hi,
>
> in an output produced with ra -c I see entries that look like the
> second in the following example:
>
> Wed 04/14 10:47:04 tcp xxxxxx.xxxxx.de.2255 -> www2.xxxxxx.de.www 7 5 416 388 CLO
> Mon 10/14 18:21:19T unas 30.99.31.97 <-> xxxxxx.xxxxx.de 150339664 38 37 409 CON
> Wed 04/14 10:48:06 tcp xxxxxx.xxxxx.de.2304 -> xxxxxx.com.www 19 14 563 15031 CLO
>
> What does this want to tell me? The date of the entry is quote wrong,
> and there were 150339664 packets transmitted with a total size of 37 bytes?
> And what protocol is "unas"?
>
> Is there something broken? (This is argus-1.7.beta.1e on a Linux box.)
This looks like another symptom of the incomplete read problem which
linux system seem to be more prone to. Carter has patches for it which
will be incorporated into the upcoming 1.8 release.
The other possibility is that the ra input file was corrupt. (unas is
short for unassigned -- I think i.e. the field was garbage like the
rest of the record).
Cheers, Russell.
More information about the argus
mailing list