[ARGUS] Patch for man records

Peter Van Epp vanepp at sfu.ca
Sat Aug 7 20:19:05 EDT 2004 

	Indeed, it isn't the byte count but rather the sequence number and 
there is a "d" (signed) format that I expect should be "u" for both that and
the number of flows. Both are specific to mar records so shouldn't affect 
anything else neither should ever be negative. As well we should put the man 
format in a man page somewhere (if its there I couldn't see it):

07 Aug 04 15:59:36           man  229.97.122.203  v2.0          -973267286 31291
 startime              indicator   major_version     nextMrSequenceNum     flows

 1129401  102       556049277    57179       CON
pktsRcvd  pktsDrop  bytesRcvd    dst.bytes   ahdr.cause

new:

05 Apr 04 08:09:36           man  229.97.122.203  v2.0                   1 0     0        0         0            0           STA
07 Aug 04 15:59:36           man  229.97.122.203  v2.0          3321700010 31291 1129401  102       556049277    57179       CON

	Bytes received against byte transmitted seems odd (assuming thats what
the counts mean in this context) as well. I'll have to poke at that on one of
the test files that I have tcpdump count output for and see whats up.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

Here is a diff against argus-clients-2.0.6.fixes.1:

*** common/argus_util.c.orig	Sat Aug  7 15:03:50 2004
--- common/argus_util.c	Sat Aug  7 17:10:32 2004
***************
*** 1537,1543 ****
     struct ArgusFlow *flow;
  
     if (argus->ahdr.type & ARGUS_MAR) {
!       sprintf (&buf[strlen(buf)], "%*d ", hfield, argus->argus_mar.nextMrSequenceNum);
  
     } else {
        flow = &argus->argus_far.flow;
--- 1537,1543 ----
     struct ArgusFlow *flow;
  
     if (argus->ahdr.type & ARGUS_MAR) {
!       sprintf (&buf[strlen(buf)], "%*u ", hfield, argus->argus_mar.nextMrSequenceNum);
  
     } else {
        flow = &argus->argus_far.flow;
***************
*** 1650,1656 ****
  ArgusPrintDstPort (char *buf, struct ArgusRecord *argus)
  {
     if (argus->ahdr.type & ARGUS_MAR) {
!       sprintf (&buf[strlen(buf)], "%-*d", pfield + 1, argus->argus_mar.flows);
  
     } else {
        struct ArgusFlow *flow = &argus->argus_far.flow;
--- 1650,1656 ----
  ArgusPrintDstPort (char *buf, struct ArgusRecord *argus)
  {
     if (argus->ahdr.type & ARGUS_MAR) {
!       sprintf (&buf[strlen(buf)], "%-*u", pfield + 1, argus->argus_mar.flows);
  
     } else {
        struct ArgusFlow *flow = &argus->argus_far.flow;

More information about the argus mailing list