Bug in ramon?

Jesper S. Jensen jesper.skou.jensen at uni-c.dk
Fri Sep 5 04:01:05 EDT 2003 

First of all, I hope this is the right place to ask, if not please let 
me know where. :-)


I think I discovered a bug in ramon, at least it seems like a bug and I 
can't find any other info about it.

Ramon Version 2.0.6.beta.39
Debian Linux 2.4.20

When I do a "ramon -M TopN -r argus.log" on a 740MB argus logfile, it 
first of all takes a little while before it wrties anything on the 
screen, but I figgure that's because it just takes time to process that 
much data. BUT when it finally outputs something, it looks like it hit a 
32bit barrier, check out the following output (IP addresses replaced 
with bogus numbers).

09-04-03 12:24:21.747000   1.1.1.1 5875953  7201376   1116556318 
4294861276
09-04-03 16:35:45.506000   1.1.1.1 5698131  6968734   1238974186 
4294966542
09-04-03 12:26:20.135000   2.2.2.2 8229770  13233902  756695495 
4294954687
09-04-03 12:28:11.403000   3.3.3.3 10591919 8372696   4291289519 
1020946946
09-04-03 12:29:34.735000   4.4.4.4 3106858  0         4216469514   0
09-04-03 12:29:07.391000   5.5.5.5 5425279  5211113   886130456    866938764
09-04-03 23:08:51.231000   1.1.1.1 3021052  3738420   455966669 
2176288311
09-04-03 12:29:05.815000   6.6.6.6 2807476  3152745   353902555 
1709921581
09-05-03 03:55:52.738000   3.3.3.3 2316343  2000663   856926998    256631282
09-04-03 12:28:44.507000   7.7.7.7 361669   2923205   69447525 
3972497832

As you can se, some of the numbers appear serval times, which I doubt is 
right. And the bytes counter hits just arround 2^32, and the numbers at 
4.4.4.4 looks very weird as well, 0bytes? I think not...
This leads me to think that there is a 32bit limit, either in the 
client, or maybe related to the OS?

Am I right, or have I overlooked something?


-- 

   Jesper S. Jensen
Basisnet og Sikkerhed
Uni-C - Århus, Danmark
    +45 8937-6666

More information about the argus mailing list