ra bug for fragment output?

Carter Bullard carter at qosient.com
Thu Feb 22 14:05:54 EST 2001 

Hey Clauss,
   This is the legacy way that argus-1.8.1 reported
partially assembled fragments.  This is so that its
clear that they are not interpreted as flows, but
rather fragment reports.  We use to print out tooooo
much information about the fragment, but that messed
up the column counts and the like.  I like the fact
that we are reporting them like straight flows, but
we still need to indicate that they are special, and
not real flow reports.  (although all the other tools
will treat them as traditional flows, i.e. ragator()
will merge them all together, if given a chance).

   We haven't really talked about whether the old way
was useful, so what would you rather do?  We can find
a way to indicate that its a frag_only report, maybe
it gets a 'f' instead of a 'F', and we put the real
proto back in?

   Does this sound reasonable?

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134

> -----Original Message-----
> From: Clauss Strauch [mailto:Clauss_Strauch at aquila.fac.cs.cmu.edu]
> Sent: Thursday, February 22, 2001 12:37 PM
> To: Carter Bullard
> Subject: ra bug for fragment output?
> 
> 
> Hello,
> 	It looks like ra is printing out fragment status 
> instead of protocol
> name for fragments.  So, for example, doing
> 
> ra -I - host pike -r [file]
> 
> prints out:
> 
> 21 Feb 01 16:05:12       F  frag PIKE.CMCL.CS.CM              
>  -> VICE14.FS.ANDRE              TIM
> 21 Feb 01 16:05:12       F  frag PIKE.CMCL.CS.CM              
>  -> VICE14.FS.ANDRE              TIM
> 21 Feb 01 16:05:12       F  frag PIKE.CMCL.CS.CM              
>  -> VICE14.FS.ANDRE              TIM
> 21 Feb 01 16:05:12       F  frag PIKE.CMCL.CS.CM              
>  -> VICE14.FS.ANDRE              TIM
> 21 Feb 01 16:05:12       F  frag PIKE.CMCL.CS.CM              
>  -> VICE14.FS.ANDRE              TIM
> 
> While:
> 
> ra -nn -I - host pike -r 
> 
> prints out:
> 
> 21 Feb 01 16:05:12       F    17   128.2.222.163        ->    
>    128.2.10.14 TIM
> 21 Feb 01 16:05:12       F    17   128.2.222.163        ->    
>    128.2.10.14 TIM
> 21 Feb 01 16:05:12       F    17   128.2.222.163        ->    
>    128.2.10.14 TIM
> 21 Feb 01 16:05:12       F    17   128.2.222.163        ->    
>    128.2.10.14 TIM
> 21 Feb 01 16:05:12       F    17   128.2.222.163        ->    
>    128.2.10.14 TIM
> 
> Which is what I expect (the fragments are UDP AFS traffic).
> 
> 					-- Clauss 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010222/861edfd2/attachment.html>

More information about the argus mailing list