port numbers missing from argus records

[Peter Van Epp]

On Wed, Apr 20, 2005 at 11:10:02AM +1200, Russell Fulton wrote:
> Hi Folk,
> 	I am seeing records from argus that appear to be missing the source
> port number for TCP flows.  The errant flows are detected by two
> different copies of ra which take feeds from the meter.
> 
> eg:
>  Bad rec
> '1113950468.112,,tcp,130.216.191.84,->,216.200.62.206,80,FSPA_FSPA'
> 
> 
> ra is run with the following config file:
> RA_FIELD_DELIMITER='\t'
> RA_PRINT_HOSTNAMES=no
> RA_TIME_FORMAT="%G-%m-%d-%T"
> RA_USEC_PRECISION=3
> RA_FIELD_SPECIFIER="startime ind proto saddr sport dir daddr dport
> status"
> 
> and the perl script (watcher) changes the "\t"s to commas before writing
> out the record.
> 
> As one can see we get the saddr followed immediately by the dir with no
> sport.
> 
> This happens for a very small proportion of the records, I'm seeing a
> few of these an hour on a 100Mbps link.
> 
> here are the versions:
> drwxr-xr-x  13 rful011  argus     512 Feb  4 16:07 argus-2.0.6.fixes.1
> drwxr-xr-x  15 rful011  argus    1024 Feb  4 16:15 argus-clients-2.0.6.fixes.1
> 
> I think this started when I installed argus-2.0.6.fixes.1 back in Feb.
> 
> -- 
> Russell Fulton, Information Security Officer, The University of Auckland
> New Zealand

# temporary work around for all 1s port numbers ...

if((($type eq "udp") || ($type eq "tcp")) && (($src_port eq "") || ($dst_port eq
 ""))) {
        if ($src_port eq "") {
                $src_port = 65535;
        }
        if ($dst_port eq "") {
                $dst_port = 65535;
        }
}

	The infamous "*" when for some reason (that I don't remember) there is
more than one port number in a flow(?) which is encoded by all 1s and then
eats the legal 65565 port number I think.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada