argus-2.0.0.beta2

Carter Bullard carter at qosient.com
Mon Feb 12 15:58:10 EST 2001


Hey Scott,
   In the dump file you sent, there is rtp traffic, although not
on your NFP port, so it was a good test file.

   With regard to 802.1Q, the only traffic with vlan tags in your
file is some proprietary Cisco LLC snap encapsulated packets.  Cisco
uses vlan tags all the time and there is very little documentation
on what packets like these are actually doing, so ....?

   Not much mystery here.  As a result of this I've added encapsulation
reporting in argus records, and I've strengthened the RTP discovery.
So not bad.  That will be in beta.3, but I haven't found much in the
way of our core dump.

   Still looking.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134


> -----Original Message-----
> From: Scott A. McIntyre [mailto:scott at xs4all.nl]
> Sent: Monday, February 12, 2001 12:35 AM
> To: Carter Bullard
> Subject: Re: argus-2.0.0.beta2
> 
> 
> Morning Carter,
> 
> 
> >    surprising that you would be getting several old problems
> >    reappearing at the same time, so we definitely should double
> >    check that you are running the beta2 version of whatever.
> 
> Yeah, that's a good point -- but this was a brand new install and I
> downloaded argus only yesterday for this box.  Here's what the version
> information data says:
> 
> [root at moo /tmp]# ra -h
> Ra Version 2.0.0.beta.2
> usage: ra
> usage: ra [options] -S remoteServer  [- filter-expression]
> usage: ra [options] -r argusDataFile [- filter-expression]
> 
> and
> 
> [root at moo /tmp]# /home/argus/bin/argus_linux -h
> Argus Version 2.0.0.beta.2
> usage: argus_linux [options] [-i interface] [filter-expression]
> usage: argus_linux [options]  -r packetfile [filter-expression]
> 
> 
> >    indications to beta.3.  Support was already there, just
> >    didn't set the bits.  This may help you.  I tested with
> >    some vlan packet capture files I could find, but if you
> >    think you're not getting what you expect, capture some
> >    packets and send them my way.
> 
> Okay dokay.  Attached are a thousand packets, some with vlan
> encapsulation, some not.  May be of use in figuring out 
> what's going on.
> This was captured with tcpdump 3.6 and libpcap 0.6 (freshly downloaded
> yesterday as well, so, 3.6.2 and 0.6.2 methinks).
> 
> 
> >       The rtp stuff was fixed in earlier versions, but if
> >    you are getting "rtp" declarations on nfs traffic, then
> >    either the fix didn't take or you're running an earlier
> >    version (make sense ;o)
> 
> I definitely am.  The only traffic that goes from one of the nodes in
> question is NFS (it's a netapp filer), and the ports are all right:
> 
> 12 Feb 01 06:33:05    tcp 212.127.135.228.2216   ->    
> 194.109.206.60.25 RST
> 12 Feb 01 06:33:05    rtp    213.84.130.5.2049   -> 
> 194.109.6.78.1023  INT
> 12 Feb 01 06:33:05    rtp    213.84.130.5.2049   -> 
> 194.109.6.78.1023  INT
> 12 Feb 01 06:33:06    rtp    213.84.130.5.2049   -> 
> 194.109.6.78.1023  INT
> 12 Feb 01 06:33:06    tcp 212.127.135.228.2218   ->    
> 194.109.206.60.25 RST
> 
> For example.
> 
> Hope that this helps!!
> 
> Scott
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010212/007d4d89/attachment.html>


More information about the argus mailing list