argus-clients-3.0.0.rc.21
Peter Van Epp
vanepp at sfu.ca
Tue Aug 1 11:44:56 EDT 2006
Well rc.21 indeed fixes the tos problem:
%ra3 -Fra3.conf.full -r badtcp2.argus
StartTime,LastTime,Trans,Dur,AvgDur,SrcAddr,DstAddr,Proto,Sport,Dport,sTos,dTos,sTtl,dTtl,SrcBytes,DstBytes,SAppBytes,DAppBytes,SrcPkts,DstPkts,Src_bps,Dst_bps,Src_pps,Dst_pps,SrcLoss,DstLoss,SrcId,Flgs,SrcMac,DstMac,Dir,SrcJitter,DstJitter,State,srcUdata,dstUdata,SrcWin,DstWin,Seq,sMpls,dMpls,sVlan,dVlan,sIpId,dIpId
1151432428.834986,1151433529.662031,1,1100.827045,1100.827026,142.58.250.27,142.58.249.237,udp,2049,800,,0,,64,4521068,3178714,2499724,2259220,20760,19989,32855.793,23100.553,18.859,18.158,0,0,229.97.122.203, v ,0:2:b3:d8:98:6e,0:11:88:5:5d:1d,<->,,,CON,s[16]="fx..............",d[16]="gx..............",,,14,,,0x8200,0x8200,,0x0000
1151432428.835259,1151432550.587752,1,121.752493,121.752495,142.58.64.150,216.239.57.104,tcp,4074,80,0,,128,,5227,0,3835,0,24,0,343.451,0.000,0.197,0.000,0,0,229.97.122.203, v ,0:13:ce:6:e2:bf,0:11:88:5:5d:1d,?>,,16163523.00,FIN,s[16]="GET /pagead/imga",,17520,0,8695,,,0x0286,,0xa4ef,
1151432430.103319,1151433529.662021,1,1099.558702,1099.558716,142.58.249.237,142.58.250.27,udp,800,2049,,0,,63,3176652,4518840,2257756,2498140,19976,20746,23112.195,32877.480,18.167,18.868,0,0,229.97.122.203, v ,0:11:88:5:5d:1d,0:2:b3:d8:98:6e,<->,,,CON,s[16]="px..............",d[16]="px..............",,,1,,,0x8200,0x8200,,0xb9c4
but it still seems to have other problems (possibly related to the
same thing, I don't know yet). In this case it is omitting ttl and tos when
it shouldn't be it looks like:
line: 7 fields in error: sttl,dir,stos,
1151432428.834980,1151432968.849102,1,540.014122,540.014122,142.58.206.16,142.58
.202.108,tcp,524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
,1493083,63258140.20,1350202.38,5584.49,2764.90,0.0007,0.0000,3848370891,qs,0:f:
1f:f8:c4:c1,0:11:88:5:5d:1d,?>,1278.000000,3716.553425,CON,s[16]=".Y....&!..:KLJ
j(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9
1151432428.834980,1151432968.849102,1,540.014122,540.014099,142.58.206.16,142.58
.202.108,tcp,524,1434,,0,,128,4270036130,91141044,4095125356,4541942,3015703,149
3083,63258144.000,1350202.375,5584.489,2764.896,0,0,229.97.122.203, vs ,0:f
:1f:f8:c4:c1,0:11:88:5:5d:1d,<?>,1278.000000,3716.47,CON,s[16]=".Y....&!..:KLJj(
",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,,0xfee9
This is the first few error records with ra3.new (with the bzero of
the entire buffer):
%./ra_test.pl rs178.2.argus | more
sport 255 gbl
dport 255 gbl
line: 4 fields in error: dport,sport,
1151432428.829164,1151432428.829164,1,0.000000,0.000000,0:4:0:87:f5:6,ff:ff:ff:f
f:ff:ff,llc,255,255,,,,,114,0,96,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,38483708
91,q,0:4:0:87:f5:6,ff:ff:ff:ff:ff:ff,->,,,INT,s[16]="...`............",,,,8676,,
,0x8200,,
1151432428.829164,1151432428.829164,1,0.000000,0.000000,0:4:0:87:f5:6,ff:ff:ff:f
f:ff:ff,llc,gbl,gbl,,,,,114,0,96,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.20
3, v ,0:4:0:87:f5:6,ff:ff:ff:ff:ff:ff,->,,,INT,s[16]="...`............",,,
,8676,,,0x8200,,,
line: 7 fields in error: dir,
1151432428.834980,1151432968.849102,1,540.014122,540.014122,142.58.206.16,142.58
.202.108,tcp,524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
,1493083,63258140.20,1350202.38,5584.49,2764.90,0.0007,0.0000,3848370891,qs,0:f:
1f:f8:c4:c1,0:11:88:5:5d:1d,?>,1278.000000,3716.553425,CON,s[16]=".Y....&!..:KLJ
j(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9
1151432428.834980,1151432968.849102,1,540.014122,540.014099,142.58.206.16,142.58
.202.108,tcp,524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
,1493083,63258144.000,1350202.375,5584.489,2764.896,0,0,229.97.122.203, vs
,0:f:1f:f8:c4:c1,0:11:88:5:5d:1d,<?>,1278.000000,3716.47,CON,s[16]=".Y....&!..:K
LJj(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9,0xfee9
sloss 139.0000 0
line: 15 fields in error: proto,sloss,
1151432428.835508,1151432946.117999,1,517.282491,517.282491,142.58.205.8,24.85.1
38.30,rtp,16386,41238,0,0,64,0,2500442,0,1317184,0,25723,0,38670.43,0.00,49.73,0
.00,139.0000,0.0000,3848370891,q,0:16:cb:85:6b:be,0:11:88:5:5d:1d,->,16300.00000
0,,INT,s[16]="......w..0......",,,,8551,,,0x0200,,0x82df
1151432428.835508,1151432946.117999,1,517.282491,517.282471,142.58.205.8,24.85.1
38.30,udp,16386,41238,0,,64,,2500442,0,1317184,0,25723,0,38670.430,0.000,49.727,
0.000,0,0,229.97.122.203, v ,0:16:cb:85:6b:be,0:11:88:5:5d:1d,->,16300.000
000,,INT,s[16]="......w..0......",,,,8551,,,0x0200,,0x82df,
this is the same thing with ra3 from rc.21:
./ra_test.pl rs178.2.argus | more
sport 255 gbl
dport 255 gbl
line: 4 fields in error: dport,sport,
1151432428.829164,1151432428.829164,1,0.000000,0.000000,0:4:0:87:f5:6,ff:ff:ff:f
f:ff:ff,llc,255,255,,,,,114,0,96,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,38483708
91,q,0:4:0:87:f5:6,ff:ff:ff:ff:ff:ff,->,,,INT,s[16]="...`............",,,,8676,,
,0x8200,,
1151432428.829164,1151432428.829164,1,0.000000,0.000000,0:4:0:87:f5:6,ff:ff:ff:f
f:ff:ff,llc,gbl,gbl,,,,,114,0,96,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.20
3, v ,0:4:0:87:f5:6,ff:ff:ff:ff:ff:ff,->,,,INT,s[16]="...`............",,,
,8676,,,0x8200,,,
line: 7 fields in error: sttl,dir,stos,
1151432428.834980,1151432968.849102,1,540.014122,540.014122,142.58.206.16,142.58
.202.108,tcp,524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
,1493083,63258140.20,1350202.38,5584.49,2764.90,0.0007,0.0000,3848370891,qs,0:f:
1f:f8:c4:c1,0:11:88:5:5d:1d,?>,1278.000000,3716.553425,CON,s[16]=".Y....&!..:KLJ
j(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9
1151432428.834980,1151432968.849102,1,540.014122,540.014099,142.58.206.16,142.58
.202.108,tcp,524,1434,,0,,128,4270036130,91141044,4095125356,4541942,3015703,149
3083,63258144.000,1350202.375,5584.489,2764.896,0,0,229.97.122.203, vs ,0:f
:1f:f8:c4:c1,0:11:88:5:5d:1d,<?>,1278.000000,3716.47,CON,s[16]=".Y....&!..:KLJj(
",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,,0xfee9
line: 8 fields in error: sttl,stos,
1151432428.834986,1151433529.662031,1,1100.827045,1100.827045,142.58.250.27,142.
58.249.237,udp,2049,800,0,0,64,64,4521068,3178714,2499724,2259220,20760,19989,32
855.79,23100.55,18.86,18.16,0.0000,0.0000,3848370891,q,0:2:b3:d8:98:6e,0:11:88:5
:5d:1d,<->,,,CON,s[16]="fx..............",d[16]="gx..............",,,14,,,0x8200
,0x8200,0x0000
1151432428.834986,1151433529.662031,1,1100.827045,1100.827026,142.58.250.27,142.
58.249.237,udp,2049,800,,0,,64,4521068,3178714,2499724,2259220,20760,19989,32855
.793,23100.553,18.859,18.158,0,0,229.97.122.203, v ,0:2:b3:d8:98:6e,0:11:8
8:5:5d:1d,<->,,,CON,s[16]="fx..............",d[16]="gx..............",,,14,,,0x8
200,0x8200,,0x0000
sloss 139.0000 0
line: 15 fields in error: proto,sloss,
1151432428.835508,1151432946.117999,1,517.282491,517.282491,142.58.205.8,24.85.1
38.30,rtp,16386,41238,0,0,64,0,2500442,0,1317184,0,25723,0,38670.43,0.00,49.73,0
.00,139.0000,0.0000,3848370891,q,0:16:cb:85:6b:be,0:11:88:5:5d:1d,->,16300.00000
0,,INT,s[16]="......w..0......",,,,8551,,,0x0200,,0x82df
1151432428.835508,1151432946.117999,1,517.282491,517.282471,142.58.205.8,24.85.1
38.30,udp,16386,41238,0,,64,,2500442,0,1317184,0,25723,0,38670.430,0.000,49.727,
0.000,0,0,229.97.122.203, v ,0:16:cb:85:6b:be,0:11:88:5:5d:1d,->,16300.000
000,,INT,s[16]="......w..0......",,,,8551,,,0x0200,,0x82df,
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list