port numbers missing from argus records
Russell Fulton
r.fulton at auckland.ac.nz
Tue Apr 19 19:10:02 EDT 2005
Hi Folk,
I am seeing records from argus that appear to be missing the source
port number for TCP flows. The errant flows are detected by two
different copies of ra which take feeds from the meter.
eg:
Bad rec
'1113950468.112,,tcp,130.216.191.84,->,216.200.62.206,80,FSPA_FSPA'
ra is run with the following config file:
RA_FIELD_DELIMITER='\t'
RA_PRINT_HOSTNAMES=no
RA_TIME_FORMAT="%G-%m-%d-%T"
RA_USEC_PRECISION=3
RA_FIELD_SPECIFIER="startime ind proto saddr sport dir daddr dport
status"
and the perl script (watcher) changes the "\t"s to commas before writing
out the record.
As one can see we get the saddr followed immediately by the dir with no
sport.
This happens for a very small proportion of the records, I'm seeing a
few of these an hour on a 100Mbps link.
here are the versions:
drwxr-xr-x 13 rful011 argus 512 Feb 4 16:07 argus-2.0.6.fixes.1
drwxr-xr-x 15 rful011 argus 1024 Feb 4 16:15 argus-clients-2.0.6.fixes.1
I think this started when I installed argus-2.0.6.fixes.1 back in Feb.
--
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20050420/d4ff2c51/attachment.bin>
More information about the argus
mailing list