Corrupt data file?

Geoff Powell geoff at lanrex.net.au
Fri Aug 22 23:00:40 EDT 2003 

Hi Carter,

I was doing some checks using ra utilities (argus-clients-2.0.6.beta.43)
on a Argus data file captured on a Linux gateway, these were my commands
and their output

I have hidden any of our Internet ip addresses with "HIDDEN"

# racount -n -r 2003-08-22-eth1.out
ArgusWarning: racount[751]: ArgusReadSocketStream: malformed argus
record len 0

racount    records       total_pkts         src_pkts         dst_pkts
total_bytes        src_bytes        dst_bytes
    sum          4       5427278366       5067837727        359440639
3500680518         97339921       3403340597

# ra -n -r 2003-08-22-eth1.out
03-08-21                man     192.168.50.5    v2.0    1       0
0      00       0       STA
03-08-21                udp     HIDDEN     500     ->      HIDDEN    500
1       0       218     0       INT
03-08-21        F       unas    1.4.0.88        <->     0.128.8.0
1061473503      496639  671799  3232248437      CON
74-04-09        m       8511    8:0:c0:a8:32:5  <->     1:4:0:94:0:90
4006364223      358944000       96667904        171092160       CON
ArgusWarning: ra[753]: ArgusReadSocketStream: malformed argus record len
0

I did the same commands on the same machine using the older ra utilities
(2.0-4)...

# racount -n -r 2003-08-22-eth1.out
racount    records       total_pkts         src_pkts         dst_pkts
total_bytes        src_bytes        dst_bytes
    sum          3       5427278366       5067837727        359440639
3500680518         97339921       3403340597

# ra -n -r 2003-08-22-eth1.out
03-08-21        man     version=2.0     probeid=192.168.50.5    STA
03-08-21        17      HIDDEN     500     ->      HIDDEN     500    TIM
03-08-21        192     1.4.0.88                <->     0.128.8.0
TIM
74-04-09        8511    %       <->     8:0:c0:a8:32:5  CON

This is my Argus config for the Argus daemon running on that interface

ARGUS_DAEMON=yes
ARGUS_MAX_INSTANCES=1
ARGUS_SET_PID=yes
ARGUS_PID_FILENAME=/var/run/argus.eth1.pid
ARGUS_MONITOR_ID=`hostname`
#ARGUS_ACCESS_PORT=561
ARGUS_BIND_IP="192.168.50.5"
ARGUS_INTERFACE=eth1
ARGUS_OUTPUT_FILE=/cache/traffic/argus/eth1.out
ARGUS_GO_PROMISCUOUS=yes
ARGUS_FLOW_STATUS_INTERVAL=60
ARGUS_MAR_STATUS_INTERVAL=300
#ARGUS_DEBUG_LEVEL=0
ARGUS_GENERATE_RESPONSE_TIME_DATA=no
ARGUS_GENERATE_JITTER_DATA=no
ARGUS_GENERATE_MAC_DATA=no
ARGUS_CAPTURE_DATA_LEN=0
ARGUS_FILTER_OPTIMIZER=yes
ARGUS_FILTER=""
#ARGUS_PACKET_CAPTURE_FILE="/var/log/argus/packet.out"

argus-2.0-5, Linux 2.4.19

I did these commands on the data file from the same gateway/interface
for the previous day, it also produces weird results. All the other
interfaces on the same gateway seem to be fine. None of the other data
files collected for the last week on other servers have done this.

What do you think is going on with that one?


Regards,
Geoff

More information about the argus mailing list