An ra oddity

[Peter Van Epp]

	I have put up 2.0.0V and shown it our backbone (which has all sorts
of odd stuff running on it) with ./argus_bpf -ifxp1 -w argus.log & 
When I filter with ra for udp I get udp as expected but also get the 
occasional novell SAP broadcast (which doesn't seem correct):

./ra -r argus.log -c -n udp

31 Jan 01 21:20:16    udp  142.58.245.106.137    ->    142.58.255.255.137   4
     0         386          0           INT
31 Jan 01 21:20:16    udp  142.58.200.115.1462   ->    192.75.243.247.161   11
     0         1456         0           INT
31 Jan 01 21:20:15    llc   8:0:11:10:f5:b7.0xe0 ->  ff:ff:ff:ff:ff:ff.0xe0 4
     0         293          0           INT
31 Jan 01 21:20:15    llc   8:0:11:10:f5:b7.gbl  ->  ff:ff:ff:ff:ff:ff.gbl  4
     0         290          0           INT
31 Jan 01 21:20:15    nvl   8:0:11:10:f5:b7      ->  ff:ff:ff:ff:ff:ff      4
     0         290          0           INT
31 Jan 01 21:20:15    llc   8:0:11:10:f5:b7.0xaa ->  ff:ff:ff:ff:ff:ff.0xaa 4
     0         300          0           INT
31 Jan 01 21:20:18    udp   142.58.140.36.138    ->    142.58.140.255.138   2
     0         528          0           INT
31 Jan 01 21:20:17    udp         0.0.0.0.68     ->   255.255.255.255.67    1
     0         342          0           INT

	It also looks to be deciding MS name service broadcasts are rtp
sometimes (I expect this is the over aggressive classification that was 
being discussed): 

31 Jan 01 21:20:21    udp  142.58.140.185.138    ->    142.58.140.255.138   1
     0         243          0           INT
31 Jan 01 21:20:19    rtp   142.58.160.63.137    ->    142.58.160.255.137   3
     0         276          0           INT
31 Jan 01 21:20:20    udp  142.58.160.200.138    ->    142.58.255.255.138   1
     0         263          0           INT


Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada