[ARGUS] apparant bug in 2.0.6 ...

Carter Bullard carter at qosient.com
Fri Jun 18 15:43:10 EDT 2004 

Well, it should be consistent and intelligible whatever its suppose to do.
Do you have any records I can use for debugging?

Hope all is most excellent with you!!!

Carter



-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Peter Van Epp
Sent: Friday, June 18, 2004 3:04 PM
To: argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] apparant bug in 2.0.6 ...

	It doesn't come back, but it does at least have a blank field (I
need
to do an od of the tab output to see if it does as well, and perl is eating
the extra tabs by accident):

ra -F /data/ra.conf -r archive/2004/06/07/argus.2004.06.07.23.00.00.gz -c
-nn host 192.0.0.250
1086674443.424428,f,6,192.0.0.250,,?>,192.75.245.160,,2,0,108,0,TIM

	My problem is the port field isn't being recognized by the perl
script
so the counts and flags end up in the wrong place. Looks like it is the tab:

ra -F /data/ra.conf -r archive/2004/06/07/argus.2004.06.07.23.00.00.gz -c
-nn host 192.0.0.250 | od -c
0000000    1   0   8   6   6   7   4   4   4   3   .   4   2   4   4   2
0000020    8  \t   f  \t   6  \t   1   9   2   .   0   .   0   .   2   5
0000040    0  \t   ?   >  \t   1   9   2   .   7   5   .   2   4   5   .
0000060    1   6   0  \t   2  \t   0  \t   1   0   8  \t   0  \t   T   I

	tab missing at offset 42 and 64 commas are correct (so I can switch
to comma and it should work). It is somewhat odd (but perhaps a feature?)
that
the port number changes when the conf file is in use as opposed to the
command
line. I do vaguely remember discussion of this point with Russell at some
time
in the past as well.

ra -F /data/ra.conf -r archive/2004/06/07/argus.2004.06.07.23.00.00.gz -c
-nn host 192.0.0.250 | od -c
0000000    1   0   8   6   6   7   4   4   4   3   .   4   2   4   4   2
0000020    8   ,   f   ,   6   ,   1   9   2   .   0   .   0   .   2   5
0000040    0   ,   ,   ?   >   ,   1   9   2   .   7   5   .   2   4   5
0000060    .   1   6   0   ,   ,   2   ,   0   ,   1   0   8   ,   0   ,

Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada



On Fri, Jun 18, 2004 at 02:42:42PM -0400, Carter Bullard wrote:
> Hey Peter,
>    So it may be the FIELD_DELIMITER, if you change it to something
> like ',' do the ports come back?  We do make exception to the 0xffff
> in the port field, but it should still print something.
>
> Carter
>

More information about the argus mailing list