differences between 2.0 and 1.8 logs

Carter Bullard carter at qosient.com
Wed Sep 27 07:13:01 EDT 2000 

Hey Russell,
   Hmmmmmm, it is highly unlikely that we're missing the
packets, at least not that many, and with such selectivity
unless there is a huge difference between the 2.0 and the
1.8 output files.   We could be missing the Argus records.
Is this a heavily loaded network?  Hmmmmmmmmmm.

   The man records also record the number of packets seen and
the totals in the flow records should add up to the totals
in the man records.  I'll make some changes to racount to
print out both sums.  That will help, but it won't solve
any problems.

   So what's the setup?  1.8 and 2.0 reading the same
interface at the same time?

   I just now also noticed the ra() reversion. I'll make that
fix now.

Carter

-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Russell Fulton
Sent: Wednesday, September 27, 2000 12:23 AM
To: Argus (E-mail)
Subject: differences between 2.0 and 1.8 logs


Hi Carter,
	  Well as it turned out I did not get away this week so I'm
fiddling with argus ;-)

I have made a couple of minor changes to my watcher script so that it
works with argus 2.0 and have been running it in parallel with one
running on argus 1.8.1.

Today the version using 2.0 missed two netbios scans so I did a little
poking around:

bash-2.03$ argus-2.0.0i/bin/ra -zncr data2/current - host 206.14.97.214 |
less
Wed 09/27 13:13:38.999542   udp   206.14.97.214.137    ->
130.216.197.19.137   2        0         116          0           INT
bash-2.03$ bin/ra -ncr data/2000.09.27/argus-2000.09.27.13.00.gz host
206.14.97.214 | head
27 Sep 00 13:12:17      udp   206.14.97.214.137    ->   130.216.197.1.137
3      0       174       0        TIM
27 Sep 00 13:12:21      udp   206.14.97.214.137    ->   130.216.197.2.137
3      0       174       0        TIM
27 Sep 00 13:12:26      udp   206.14.97.214.137    ->   130.216.197.3.137
3      0       174       0        TIM
27 Sep 00 13:12:30      udp   206.14.97.214.137    ->   130.216.197.4.137
3      0       174       0        TIM
27 Sep 00 13:12:35      udp   206.14.97.214.137    ->   130.216.197.5.137
3      0       174       0        TIM
27 Sep 00 13:12:40      udp   206.14.97.214.137    ->   130.216.197.6.137
3      0       174       0        TIM
27 Sep 00 13:12:44      udp   206.14.97.214.137    ->   130.216.197.7.137
3      0       174       0        TIM
27 Sep 00 13:12:49      udp   206.14.97.214.137    ->   130.216.197.8.137
3      0       174       0        TIM
27 Sep 00 13:12:53      udp   206.14.97.214.137    ->   130.216.197.9.137
3      0       174       0        TIM
27 Sep 00 13:12:58      udp   206.14.97.214.137    ->  130.216.197.10.137
3      0       174       0        TIM

Both servers and clients running on same host.

It would appear that the 'i' release not logging some flows.  It
missed the traffic for the other scan completely and in this one only
logged one flow.

Hmmmm... I notice that the the timestamp format seems to have
reverted to the old form with the addition of the .nnnn.

Cheers, Russell.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20000927/3f195634/attachment.html>

More information about the argus mailing list