port numbers missing from argus records
Russell Fulton
r.fulton at auckland.ac.nz
Tue Apr 19 21:29:58 EDT 2005
On Tue, 2005-04-19 at 18:19 -0700, Peter Van Epp wrote:
>
> # temporary work around for all 1s port numbers ...
>
> if((($type eq "udp") || ($type eq "tcp")) && (($src_port eq "") || ($dst_port eq
> ""))) {
> if ($src_port eq "") {
> $src_port = 65535;
> }
> if ($dst_port eq "") {
> $dst_port = 65535;
> }
> }
>
> The infamous "*" when for some reason (that I don't remember) there is
> more than one port number in a flow(?) which is encoded by all 1s and then
> eats the legal 65565 port number I think.
my problem is not that the port number is null it is missing entirely
from the delimited output. At the moment I only seem to be dropping
source ports so I suppose I could check how many tokens I get from ra
and set $sport to '' if there are less than expected but what happens if
it starts dropping dest ports too?
I'll have a poke at the code this afternoon and see if I can figure out
how ra manages to not output the port number.
Russell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20050420/37855701/attachment.bin>
More information about the argus
mailing list