differences between 2.0 and 1.8 logs
Russell Fulton
r.fulton at auckland.ac.nz
Wed Sep 27 00:23:08 EDT 2000
Hi Carter,
Well as it turned out I did not get away this week so I'm
fiddling with argus ;-)
I have made a couple of minor changes to my watcher script so that it
works with argus 2.0 and have been running it in parallel with one
running on argus 1.8.1.
Today the version using 2.0 missed two netbios scans so I did a little
poking around:
bash-2.03$ argus-2.0.0i/bin/ra -zncr data2/current - host 206.14.97.214 | less
Wed 09/27 13:13:38.999542 udp 206.14.97.214.137 -> 130.216.197.19.137 2 0 116 0 INT
bash-2.03$ bin/ra -ncr data/2000.09.27/argus-2000.09.27.13.00.gz host 206.14.97.214 | head
27 Sep 00 13:12:17 udp 206.14.97.214.137 -> 130.216.197.1.137 3 0 174 0 TIM
27 Sep 00 13:12:21 udp 206.14.97.214.137 -> 130.216.197.2.137 3 0 174 0 TIM
27 Sep 00 13:12:26 udp 206.14.97.214.137 -> 130.216.197.3.137 3 0 174 0 TIM
27 Sep 00 13:12:30 udp 206.14.97.214.137 -> 130.216.197.4.137 3 0 174 0 TIM
27 Sep 00 13:12:35 udp 206.14.97.214.137 -> 130.216.197.5.137 3 0 174 0 TIM
27 Sep 00 13:12:40 udp 206.14.97.214.137 -> 130.216.197.6.137 3 0 174 0 TIM
27 Sep 00 13:12:44 udp 206.14.97.214.137 -> 130.216.197.7.137 3 0 174 0 TIM
27 Sep 00 13:12:49 udp 206.14.97.214.137 -> 130.216.197.8.137 3 0 174 0 TIM
27 Sep 00 13:12:53 udp 206.14.97.214.137 -> 130.216.197.9.137 3 0 174 0 TIM
27 Sep 00 13:12:58 udp 206.14.97.214.137 -> 130.216.197.10.137 3 0 174 0 TIM
Both servers and clients running on same host.
It would appear that the 'i' release not logging some flows. It
missed the traffic for the other scan completely and in this one only
logged one flow.
Hmmmm... I notice that the the timestamp format seems to have
reverted to the old form with the addition of the .nnnn.
Cheers, Russell.
More information about the argus
mailing list