port numbers missing from argus records
Russell Fulton
r.fulton at auckland.ac.nz
Wed Apr 20 01:13:18 EDT 2005
On Tue, 2005-04-19 at 19:03 -0700, Peter Van Epp wrote:
> Ah, the previous bug which begats the one this fix is for. \t is
> broken (as I recall the code \t isn't a valid delimiter I think it really
> wants cntrl-I in there) but by that time I had made this change and didn't
> worry about it.
Ah! indeed. I think I have found the problem:
in get_argus_string (file argus_util.c) a buffer is built for output
from the argus record. First there is a loop which writes the fields
into the buffer. Some of these fields are delimited by the RA_DELIMITER
others are separated by spaces (???? I'm sure Carter had a good reason
at the time :)
If the output is delimited then this is followed by another loop the
works its way down the buffer removing all strings of white space
( while (isspace((int)*str)) str++ )
and replacing them with a single delimiter. Thus if your delimiter is
'\t' two delimiters get replaced by one -- exactly what I was seeing.
I have replaced that line (argus_util:2888) by :
while (*str == ' ' ) str++;
which in the context is, I believe, functionally equivalent (and faster)
and will allow tabs as a delimiter.
I've had it running in parallel with the original version and it is now
correctly handling the "null" port records that the old version spits
out.
I'm feeling quite pleased with myself :) It must be about 5 years since
I last delved into the guts of argus to fix a bug!
Cheers, Russell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20050420/43a79e4f/attachment.bin>
More information about the argus
mailing list