An ra oddity

Carter Bullard carter at qosient.com
Thu Feb 1 11:21:50 EST 2001 

Hey Peter,
   Yes, with "V" came new support for llc traffic, and the
potential for new issues.  I'll beef up the filter logic,
so that it corrects this problem.

The rtp issue will be addressed in 'W' which should come out
tomorrow, I hope.

Thanks!!!!

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 813-9426
Fax   +1 212 813-9426




-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Peter Van Epp
Sent: Thursday, February 01, 2001 12:35 AM
To: argus
Subject: An ra oddity


	I have put up 2.0.0V and shown it our backbone (which has all
sorts
of odd stuff running on it) with ./argus_bpf -ifxp1 -w argus.log & 
When I filter with ra for udp I get udp as expected but also get the 
occasional novell SAP broadcast (which doesn't seem correct):

./ra -r argus.log -c -n udp

31 Jan 01 21:20:16    udp  142.58.245.106.137    ->
142.58.255.255.137   4
     0         386          0           INT
31 Jan 01 21:20:16    udp  142.58.200.115.1462   ->
192.75.243.247.161   11
     0         1456         0           INT
31 Jan 01 21:20:15    llc   8:0:11:10:f5:b7.0xe0 ->
ff:ff:ff:ff:ff:ff.0xe0 4
     0         293          0           INT
31 Jan 01 21:20:15    llc   8:0:11:10:f5:b7.gbl  ->
ff:ff:ff:ff:ff:ff.gbl  4
     0         290          0           INT
31 Jan 01 21:20:15    nvl   8:0:11:10:f5:b7      ->  ff:ff:ff:ff:ff:ff
4
     0         290          0           INT
31 Jan 01 21:20:15    llc   8:0:11:10:f5:b7.0xaa ->
ff:ff:ff:ff:ff:ff.0xaa 4
     0         300          0           INT
31 Jan 01 21:20:18    udp   142.58.140.36.138    ->
142.58.140.255.138   2
     0         528          0           INT
31 Jan 01 21:20:17    udp         0.0.0.0.68     ->   255.255.255.255.67
1
     0         342          0           INT

	It also looks to be deciding MS name service broadcasts are rtp
sometimes (I expect this is the over aggressive classification that was 
being discussed): 

31 Jan 01 21:20:21    udp  142.58.140.185.138    ->
142.58.140.255.138   1
     0         243          0           INT
31 Jan 01 21:20:19    rtp   142.58.160.63.137    ->
142.58.160.255.137   3
     0         276          0           INT
31 Jan 01 21:20:20    udp  142.58.160.200.138    ->
142.58.255.255.138   1
     0         263          0           INT


Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list