Missing port number (same 2.0.3 buglet?)

Carter Bullard carter at qosient.com
Tue Oct 30 11:31:06 EST 2001 

Hey Scott,
There are two magical port numbers in ra* programs, 0x0000
and 0xFFFF.  These numbers, which are suppose to be illegal,
unused, unsupported, etc.... are used as indicators for some
aggregation operations in programs like ragator, ramon, etc...
When the values are used this way there are bits in the argus
record header that tell us that the port numbers are either
real or overloaded.  There is probably a bug with this.

Do you have a single record that you can share so I can
debug it?  Do you have an idea what the port number should
be?

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com


> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Scott A. McIntyre
> Sent: Tuesday, October 30, 2001 11:10 AM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Missing port number (same 2.0.3 buglet?)
> 
> 
> Hi all,
> 
> This may be related to the semi-bug that was found by 
> Chris/Carter (and to be fixed in 2.0.4) but just in case it's 
> not, I'm wondering under what conditions argus() would 
> completely miss a port number in a tcp session.
> 
> Example:
> 
> 30 Oct 01 16:34:25    tcp 212.bbb.xxx.219.51116  ->    
> 194.aaa.yyy.80 EST
> 30 Oct 01 16:34:56    tcp 212.bbb.xxx.219.51116  ->    
> 194.aaa.yyy.80 EST
> 30 Oct 01 16:36:13    tcp 212.bbb.xxx.219.51116  ->    
> 194.aaa.yyy.80 EST
> 30 Oct 01 16:36:44    tcp 212.bbb.xxx.219.51116  ->    
> 194.aaa.yyy.80 EST
> 30 Oct 01 16:37:14    tcp 212.bbb.xxx.219.51116  ->    
> 194.aaa.yyy.80 EST
> 
> As you can see, it's got the source port just fine, 51116, 
> however, there's no destination port.  Indeed, raxml also 
> can't find it, and even listening to argus() live with ra() 
> doesn't catch it:
> 
> 30 Oct 01 16:57:33    tcp  194.aaa.yyy.80        ?>   
> 212.bbb.xxx.219.51116 EST
> 
> Nothing being done for filtering other than specifying the 
> two hosts in question.
> 
> Thanks for any ideas!
> 
> Scott
> 
>

More information about the argus mailing list