strange records
David Brumley
dbrumley at goju.Stanford.EDU
Tue Apr 20 12:25:27 EDT 1999
Hey carter,
I've noticed some weird records lately while writing an IDS around argus.
I'm running argus on Solaris 2.6 on a FDDI.
In a nutshell, sometimes I get negative byte counts. Another weird thing
is sometimes the startime is after lasttime. Either there are
time-travelling packets, or i'm missing something.
We run AFS on the machine, so the clock is adjusted every so often. I
don't know if this explains the whole skew, though.
- startime: Wed 04/14 00:44:11
- lasttime: Tue 04/13 19:41:20
results in
- src port num: 1350
- dst port num: 80
- src byte count: -12
- dst byte count: 0
- src pkt count: 3
- dst pkt count: 1
Sometimes there is the clock problem without the packet problem....but
maybe it's subtracting packets but just not enough to make the whole thing
negative....i don't know.
Is there a way to do this, perhaps with times() instead of time().
cheers,
david
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security - dbrumley at Stanford.EDU
Phone: +1-650-723-2911 WWW: http://www.stanford.edu/~dbrumley
Fax: +1-650-725-9121 PGP: finger dbrumley-pgp at sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
More information about the argus
mailing list