port numbers missing from argus records

Carter Bullard carter at qosient.com
Mon Apr 25 17:32:47 EDT 2005


Hey Guys,
   Sorry, about being away.  Yes, indeed, just as Russell
indicates, we build the output string, and then rip out
the remaining white space.  This is because some of the
column output routines pad the fields with spaces to get
the right width when the delimiter is the default ' ', so
in trying to reuse these routines, I ended up having to
take out white space as a last step.

   I'll make the changes as Russell indicates.

Carter



   


-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Russell Fulton
Sent: Wednesday, April 20, 2005 1:13 AM
To: Peter Van Epp
Cc: argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] port numbers missing from argus records

On Tue, 2005-04-19 at 19:03 -0700, Peter Van Epp wrote:

> 	Ah, the previous bug which begats the one this fix is for. \t is 
> broken (as I recall the code \t isn't a valid delimiter I think it really
> wants cntrl-I in there) but by that time I had made this change and didn't
> worry about it.

Ah! indeed.  I think I have found the problem:

in get_argus_string (file argus_util.c) a buffer is built for output
from the argus record.  First there is a loop which writes the fields
into the buffer.  Some of these fields are delimited by the RA_DELIMITER
others are separated by spaces (???? I'm sure Carter had a good reason
at the time :)

If the output is delimited then this is followed by another loop the
works its way down the buffer removing all strings of white space
( while (isspace((int)*str)) str++ )
and replacing them with a single delimiter.  Thus if your delimiter is
'\t' two delimiters get replaced by one -- exactly what I was seeing.

I have replaced that line (argus_util:2888) by : 
        while (*str == ' ' ) str++;
which in the context is, I believe, functionally equivalent (and faster)
and will allow tabs as a delimiter.

I've had it running in parallel with the original version and it is now
correctly handling the "null" port records that the old version spits
out.

I'm feeling quite pleased with myself :)  It must be about 5 years since
I last delved into the guts of argus to fix a bug!

Cheers, Russell






More information about the argus mailing list