ra bugs.

Sun Jan 28 13:38:17 EST 2001

Hey Clauss,
Hmmm, yes one toooo many commas and it looks like we're
writing into dirty buffers. I'll correct that situation!

Thanks for all the reports. I can fix these problems!!!!

Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 813-9426
Fax   +1 212 813-9426

> -----Original Message-----
> From: Clauss Strauch [mailto:Clauss_Strauch at aquila.fac.cs.cmu.edu]
> Sent: Sunday, January 28, 2001 12:46 PM
> To: Carter Bullard
> Subject: ra bugs.
> 
> 
> Hello,
> 	After seeing Peter's mail on ICMP byte count problems, I ran
> a script to look over a few days worth of logs and report any records 
> where flow was '<->' and there weren't src & dst packet and 
> byte counts.
> Didn't find any, but I did run into a few output bugs.  All 
> the output 
> is printed using the rarc:
> 
> RA_FIELD_DELIMITER=','
> RA_PRINT_SUMMARY=no
> RA_PRINT_ARGUSID=no
> RA_PRINT_MACADDRS=no
> RA_PRINT_INDICATORS=no
> RA_PRINT_HOSTNAMES=no
> RA_PRINT_COUNTS=yes
> RA_PRINT_RESPONSE_DATA=no
> RA_PRINT_UNIX_TIME=yes
> RA_PRINT_STARTIME=yes
> RA_PRINT_LASTIME=yes
> RA_PRINT_DURATION=no
> RA_USEC_PRECISION=6
> 
> 1)  There seems to be a bug in formatting some types of 
> non-IP traffic when
> counts and separators are turned on (there's an extra field 
> near the end):
> 
> 980228016.303408,980228036.323226,apltk,0:d0:bc:f2:18:58,,->,9
> :0:7:ff:ff:ff,,,6,0,1908,0,INT
> 980228021.711727,980228031.713691,apltk,0:d0:d3:33:85:7c,,->,9
> :0:7:ff:ff:ff,,,4,0,252,0,INT
> 980228017.698275,980228035.709919,vtp,0:d0:bc:f2:18:1f,,->,1:0
> :c:cc:cc:cc,,,4,0,752,0,INT
> 980228012.840756,980228038.052788,apltk,0:5:2:d0:c6:9a,,->,0:d
> 0:bc:f2:18:58,,,8,0,664,0,INT
> 980228013.528366,980228033.528772,apltk,0:d0:d3:36:31:3c,,->,9
> :0:7:ff:ff:ff,,,6,0,414,0,INT
> 980228013.689473,980228033.701920,apltk,0:d0:d3:35:75:10,,->,9
> :0:7:ff:ff:ff,,,6,0,522,0,INT
> 980228013.723336,980228033.722484,apltk,0:2:7e:20:a9:28,,->,9:
> 0:7:ff:ff:ff,,,6,0,1062,0,INT
> 980228020.728496,980228034.300116,ipx,0:d0:d3:35:b9:b0,,->,Bro
> adcast,,,20,0,8728,0,INT
> 
> 2)  There may be a bug in wrt printing out a bit too much 
> data if the -m 
> switch is used:
> 
> $ ra -F ./rarc.bar -r arg.out.bad3 - host 128.2.188.73 | more 
> 980228025.612708,980228030.054619,tcp,128.2.188.73,2240,->,128
> .150.4.38,443,12,1
> 1,1734,5066,RST
> 
> $ ra -F ./rarc.bar -m -r arg.out.bad3 - host 128.2.188.73 | more
> 980228025.612708,980228030.054619,tcp,0:d0:bc:f2:18:58,0:e0:8f
> :9:90:c0,128.2.188
> .73,2240,->,128.150.4.38,443,12,11,1734,5066,RSTP?@pM at C@
> 
> 	I put the argus file that produces these errors in 
> /afs/andrew/usr/cs1y/carterb/arg.out.bad3.gz
> 
> 						-- Clauss
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3699 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010128/53522caa/attachment.bin>