strange records

[Carter Bullard]

Hmmmmm,
   Very interesting, and we can't blame it on Daylight
Savings Time ;o)  The question would be "is this a TCP
record"?   Argus is doing some not-so-striaght foward
logic on TCP reporting (times, byte and packet counts) in
order to have the final record be a cumulative record
of the entire TCP.  If this is a really long lived record
we may have wrapped around a counter and thats how we
got a negative value in a byte counter, but the time should
wrap.   We may be tickling something in this code that
is not quite right.

   What I would be interested in is if there are any
other records that apply to this same flow
that are well formed.

Carter

PS. Hows the FDDI performance?  I have not had the best
    results with Sun FDDI.  I've had better results with
    DEC.

-----Original Message-----
From: David Brumley [mailto:dbrumley at goju.Stanford.EDU]
Sent: Tuesday, April 20, 1999 12:50 PM
To: Carter Bullard
Cc: argus at lists.andrew.cmu.edu
Subject: strange records


I forgot to mention, the clock is only adjusted at most a few seconds.

On Tue, 20 Apr 1999, David Brumley wrote:

> Hey carter,
> I've noticed some weird records lately while writing an IDS around argus.
> I'm running argus on Solaris 2.6 on a FDDI.
> 
> We run AFS on the machine, so the clock is adjusted every so often.  I
> don't know if this explains the whole skew, though.
>       - startime: Wed 04/14 00:44:11
>       - lasttime: Tue 04/13 19:41:20

#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security - dbrumley at Stanford.EDU
Phone: +1-650-723-2911    WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121    PGP: finger dbrumley-pgp at sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#