nasty brokeness!
Peter Van Epp
vanepp at sfu.ca
Fri Sep 22 21:38:06 EDT 2000
The corrupted time stamp looks nasty. I launched (from a shell script)
tcpdump and argus against the same interface. I then gathered all their
PIDs and put them in a single kill -HUP (tcpdump then the 3 arguses). I then
periodically ran
ra -r argus.1.log -c -n |grep Wed
and
argus_bpf -r tcpdump.1.log -w - | ra -c -n |grep Wed
at some point the ra found "Wed" but the argus_bpf didn't (which matches an
earlier tcpdump I had run but which didn't start simultaneosly). At this
point I ran the kill leaving me with argus.1.log which argus_bpf had been
writing and tcpdump.1.log which tcpdump had been writing. Now the kernel
reported 2 drops on the tcpdump (it is doing -s 1510 to capture the full
packet so this isn't necessarily a surprise). Running argus_bpf as above
after both it and argus were stopped still didn't get me a Wed (corrupted
time stamp) in the tcpdump version of the file and the files match more or
less up to the first corruption (and the ra read of the argus.1.log file is
identical between runs):
tcpdump.1.log:
Fri 09/22 17:57:16.518186 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:16.593874 tcp 142.58.217.148.49482 |> 206.12.30.144.9000
14 16 926 18228 RST
Fri 09/22 17:57:16.624894 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:16.719098 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:16.814248 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:16.923246 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:17.016310 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:17.124281 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:17.219148 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:17.314135 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:17.421285 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:17.517297 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:17.517297 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:27.719452 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:59:04.720524 udp 208.184.229.155.0 -> 142.58.144.20.0
1 0 1480 0 TIM
Fri 09/22 17:59:04.720542 udp 208.184.229.155.0 -> 142.58.144.20.0
1 0 256 0 TIM
Fri 09/22 17:57:17.624986 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:56:07.670905 tcp 142.58.249.154.2977 -> 24.0.0.200.80
29 48 1733 59532 CLO
Fri 09/22 17:56:07.682765 tcp 142.58.249.154.2978 -> 24.0.0.200.80
37 52 2386 62596 CLO
Fri 09/22 17:57:17.719483 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:17.814183 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:17.921664 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:18.016406 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
argus.1.log (same line number):
...
Fri 09/22 17:57:16.518181 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:16.593870 tcp 142.58.217.148.49482 |> 206.12.30.144.9000
14 16 926 18228 RST
Fri 09/22 17:57:16.624887 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:16.719092 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:16.814246 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:16.923240 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:17.016304 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:17.124275 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:17.219144 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:17.314128 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:17.421282 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Wed 12/10 23:06:39.-1198126848 tcp 142.58..8080 <?> 24.113..1071
1 1 26 28 EST
Fri 09/22 17:59:12.208781 tcp 142.58.181.4.8080 <?> 24.113.11.50.1071
0 1 0 28 EST
Fri 09/22 17:57:17.517291 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:17.624979 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:17.719479 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:17.814177 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:17.921658 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:18.016399 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:18.057349 tcp 24.113.31.225.20089 <| 142.58.230.107.80
7 8 661 5218 RST
Fri 09/22 17:57:18.124166 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Fri 09/22 17:57:18.219728 udp 208.184.229.155.0 -> 142.58.144.20.0
2 0 1736 0 TIM
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list