strange argus records
Alexander Bochmann
bochmann at mupfel.infra.de
Fri Apr 16 04:46:54 EDT 1999
...on Fri, Apr 16, 1999 at 09:03:16AM +1200, Russell Fulton wrote:
> On Thu, 15 Apr 1999 15:50:40 +0200 Alexander Bochmann
> <bochmann at mupfel.infra.de> wrote:
> > Mon 10/14 18:21:19T unas 30.99.31.97 <-> xxxxxx.xxxxx.de 150339664 38 37 409 CON
> > Is there something broken? (This is argus-1.7.beta.1e on a Linux box.)
> This looks like another symptom of the incomplete read problem which
> linux system seem to be more prone to. Carter has patches for it which
It's mildly strange, because at least the (obviously spoofed) IP
address 30.99.31.97 also shows up in a cisco accounting logfile
(would have to look up the traffic, though, but if I remember correctly
it was only a handfull of bytes at east in the one record I saw)...
The (x-ed out) receipient address is also ok.
> The other possibility is that the ra input file was corrupt. (unas is
> short for unassigned -- I think i.e. the field was garbage like the
> rest of the record).
I assume that at least part of the record is actually correct - is there
any kind of traffic that can break argus' recording and/or reporting?
Alex.
More information about the argus
mailing list