argus-clients-3.0.0.rc.21

Carter Bullard carter at qosient.com
Tue Aug 1 15:04:52 EDT 2006 

The missing labels and possibly data is the side effect of me trying  
to solve
another problem, so I have broken somethings that need to be fixed,  
hopefully
quickly.   I tried to remove the sprintf(&buf[strlen(buf)],   
references, which
were causing other problems, like bad performance, and I need to fix  
them.

If you could tell me what fields are missing from your complete list,  
I'll try
to get a new version out tonight.

Carter

On Aug 1, 2006, at 11:44 AM, Peter Van Epp wrote:

> 	Well rc.21 indeed fixes the tos problem:
>
> %ra3 -Fra3.conf.full -r badtcp2.argus
> StartTime,LastTime,Trans,Dur,AvgDur,SrcAddr,DstAddr,Proto,Sport,Dport, 
> sTos,dTos,sTtl,dTtl,SrcBytes,DstBytes,SAppBytes,DAppBytes,SrcPkts,DstP 
> kts,Src_bps,Dst_bps,Src_pps,Dst_pps,SrcLoss,DstLoss,SrcId,Flgs,SrcMac, 
> DstMac,Dir,SrcJitter,DstJitter,State,srcUdata,dstUdata,SrcWin,DstWin,S 
> eq,sMpls,dMpls,sVlan,dVlan,sIpId,dIpId
> 1151432428.834986,1151433529.662031,1,1100.827045,1100.827026,142.58.2 
> 50.27,142.58.249.237,udp, 
> 2049,800,,0,,64,4521068,3178714,2499724,2259220,20760,19989,32855.793, 
> 23100.553,18.859,18.158,0,0,229.97.122.203, v       , 
> 0:2:b3:d8:98:6e,0:11:88:5:5d:1d,<->,,,CON,s[16]="fx..............",d 
> [16]="gx..............",,,14,,,0x8200,0x8200,,0x0000
> 1151432428.835259,1151432550.587752,1,121.752493,121.752495,142.58.64. 
> 150,216.239.57.104,tcp, 
> 4074,80,0,,128,,5227,0,3835,0,24,0,343.451,0.000,0.197,0.000,0,0,229.9 
> 7.122.203, v       ,0:13:ce:6:e2:bf,0:11:88:5:5d:1d,?>,, 
> 16163523.00,FIN,s[16]="GET /pagead/imga",, 
> 17520,0,8695,,,0x0286,,0xa4ef,
> 1151432430.103319,1151433529.662021,1,1099.558702,1099.558716,142.58.2 
> 49.237,142.58.250.27,udp, 
> 800,2049,,0,,63,3176652,4518840,2257756,2498140,19976,20746,23112.195, 
> 32877.480,18.167,18.868,0,0,229.97.122.203, v       ,0:11:88:5:5d: 
> 1d,0:2:b3:d8:98:6e,<->,,,CON,s[16]="px..............",d[16] 
> ="px..............",,,1,,,0x8200,0x8200,,0xb9c4
>
> 	but it still seems to have other problems (possibly related to the
> same thing, I don't know yet). In this case it is omitting ttl and  
> tos when
> it shouldn't be it looks like:
>
> line: 7 fields in error: sttl,dir,stos,
> 1151432428.834980,1151432968.849102,1,540.014122,540.014122,142.58.206 
> .16,142.58
> .202.108,tcp, 
> 524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
> , 
> 1493083,63258140.20,1350202.38,5584.49,2764.90,0.0007,0.0000,384837089 
> 1,qs,0:f:
> 1f:f8:c4:c1,0:11:88:5:5d:1d,?>,1278.000000,3716.553425,CON,s[16] 
> =".Y....&!..:KLJ
> j(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9
> 1151432428.834980,1151432968.849102,1,540.014122,540.014099,142.58.206 
> .16,142.58
> .202.108,tcp, 
> 524,1434,,0,,128,4270036130,91141044,4095125356,4541942,3015703,149
> 3083,63258144.000,1350202.375,5584.489,2764.896,0,0,229.97.122.203,  
> vs      ,0:f
> :1f:f8:c4:c1,0:11:88:5:5d:1d,<?>,1278.000000,3716.47,CON,s[16] 
> =".Y....&!..:KLJj(
> ",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,,0xfee9
>
> 	This is the first few error records with ra3.new (with the bzero of
> the entire buffer):
>
> %./ra_test.pl rs178.2.argus | more
> sport 255 gbl
> dport 255 gbl
>
> line: 4 fields in error: dport,sport,
> 1151432428.829164,1151432428.829164,1,0.000000,0.000000,0:4:0:87:f5:6, 
> ff:ff:ff:f
> f:ff:ff,llc,255,255,,,,,114,0,96,0,1,0,0.00,0.00,inf, 
> 0.00,0.0000,0.0000,38483708
> 91,q,0:4:0:87:f5:6,ff:ff:ff:ff:ff:ff,->,,,INT,s[16] 
> ="...`............",,,,8676,,
> ,0x8200,,
> 1151432428.829164,1151432428.829164,1,0.000000,0.000000,0:4:0:87:f5:6, 
> ff:ff:ff:f
> f:ff:ff,llc,gbl,gbl,,,,, 
> 114,0,96,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.20
> 3, v       ,0:4:0:87:f5:6,ff:ff:ff:ff:ff:ff,->,,,INT,s[16] 
> ="...`............",,,
> ,8676,,,0x8200,,,
>
>
> line: 7 fields in error: dir,
> 1151432428.834980,1151432968.849102,1,540.014122,540.014122,142.58.206 
> .16,142.58
> .202.108,tcp, 
> 524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
> , 
> 1493083,63258140.20,1350202.38,5584.49,2764.90,0.0007,0.0000,384837089 
> 1,qs,0:f:
> 1f:f8:c4:c1,0:11:88:5:5d:1d,?>,1278.000000,3716.553425,CON,s[16] 
> =".Y....&!..:KLJ
> j(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9
> 1151432428.834980,1151432968.849102,1,540.014122,540.014099,142.58.206 
> .16,142.58
> .202.108,tcp, 
> 524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
> , 
> 1493083,63258144.000,1350202.375,5584.489,2764.896,0,0,229.97.122.203, 
>  vs
> ,0:f:1f:f8:c4:c1,0:11:88:5:5d:1d,<?>,1278.000000,3716.47,CON,s[16] 
> =".Y....&!..:K
> LJj(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca, 
> 0xfee9,0xfee9
>
> sloss 139.0000 0
>
> line: 15 fields in error: proto,sloss,
> 1151432428.835508,1151432946.117999,1,517.282491,517.282491,142.58.205 
> .8,24.85.1
> 38.30,rtp, 
> 16386,41238,0,0,64,0,2500442,0,1317184,0,25723,0,38670.43,0.00,49.73,0
> .00,139.0000,0.0000,3848370891,q,0:16:cb:85:6b:be,0:11:88:5:5d:1d,- 
> >,16300.00000
> 0,,INT,s[16]="......w..0......",,,,8551,,,0x0200,,0x82df
> 1151432428.835508,1151432946.117999,1,517.282491,517.282471,142.58.205 
> .8,24.85.1
> 38.30,udp, 
> 16386,41238,0,,64,,2500442,0,1317184,0,25723,0,38670.430,0.000,49.727,
> 0.000,0,0,229.97.122.203, v       ,0:16:cb:85:6b:be,0:11:88:5:5d: 
> 1d,->,16300.000
> 000,,INT,s[16]="......w..0......",,,,8551,,,0x0200,,0x82df,
>
> 	this is the same thing with ra3 from rc.21:
>
> ./ra_test.pl rs178.2.argus | more
> sport 255 gbl
> dport 255 gbl
>
> line: 4 fields in error: dport,sport,
> 1151432428.829164,1151432428.829164,1,0.000000,0.000000,0:4:0:87:f5:6, 
> ff:ff:ff:f
> f:ff:ff,llc,255,255,,,,,114,0,96,0,1,0,0.00,0.00,inf, 
> 0.00,0.0000,0.0000,38483708
> 91,q,0:4:0:87:f5:6,ff:ff:ff:ff:ff:ff,->,,,INT,s[16] 
> ="...`............",,,,8676,,
> ,0x8200,,
> 1151432428.829164,1151432428.829164,1,0.000000,0.000000,0:4:0:87:f5:6, 
> ff:ff:ff:f
> f:ff:ff,llc,gbl,gbl,,,,, 
> 114,0,96,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.20
> 3, v       ,0:4:0:87:f5:6,ff:ff:ff:ff:ff:ff,->,,,INT,s[16] 
> ="...`............",,,
> ,8676,,,0x8200,,,
>
>
> line: 7 fields in error: sttl,dir,stos,
> 1151432428.834980,1151432968.849102,1,540.014122,540.014122,142.58.206 
> .16,142.58
> .202.108,tcp, 
> 524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
> , 
> 1493083,63258140.20,1350202.38,5584.49,2764.90,0.0007,0.0000,384837089 
> 1,qs,0:f:
> 1f:f8:c4:c1,0:11:88:5:5d:1d,?>,1278.000000,3716.553425,CON,s[16] 
> =".Y....&!..:KLJ
> j(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9
> 1151432428.834980,1151432968.849102,1,540.014122,540.014099,142.58.206 
> .16,142.58
> .202.108,tcp, 
> 524,1434,,0,,128,4270036130,91141044,4095125356,4541942,3015703,149
> 3083,63258144.000,1350202.375,5584.489,2764.896,0,0,229.97.122.203,  
> vs      ,0:f
> :1f:f8:c4:c1,0:11:88:5:5d:1d,<?>,1278.000000,3716.47,CON,s[16] 
> =".Y....&!..:KLJj(
> ",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,,0xfee9
>
>
> line: 8 fields in error: sttl,stos,
> 1151432428.834986,1151433529.662031,1,1100.827045,1100.827045,142.58.2 
> 50.27,142.
> 58.249.237,udp, 
> 2049,800,0,0,64,64,4521068,3178714,2499724,2259220,20760,19989,32
> 855.79,23100.55,18.86,18.16,0.0000,0.0000,3848370891,q, 
> 0:2:b3:d8:98:6e,0:11:88:5
> :5d:1d,<->,,,CON,s[16]="fx..............",d[16] 
> ="gx..............",,,14,,,0x8200
> ,0x8200,0x0000
> 1151432428.834986,1151433529.662031,1,1100.827045,1100.827026,142.58.2 
> 50.27,142.
> 58.249.237,udp, 
> 2049,800,,0,,64,4521068,3178714,2499724,2259220,20760,19989,32855
> .793,23100.553,18.859,18.158,0,0,229.97.122.203, v       , 
> 0:2:b3:d8:98:6e,0:11:8
> 8:5:5d:1d,<->,,,CON,s[16]="fx..............",d[16] 
> ="gx..............",,,14,,,0x8
> 200,0x8200,,0x0000
>
> sloss 139.0000 0
>
> line: 15 fields in error: proto,sloss,
> 1151432428.835508,1151432946.117999,1,517.282491,517.282491,142.58.205 
> .8,24.85.1
> 38.30,rtp, 
> 16386,41238,0,0,64,0,2500442,0,1317184,0,25723,0,38670.43,0.00,49.73,0
> .00,139.0000,0.0000,3848370891,q,0:16:cb:85:6b:be,0:11:88:5:5d:1d,- 
> >,16300.00000
> 0,,INT,s[16]="......w..0......",,,,8551,,,0x0200,,0x82df
> 1151432428.835508,1151432946.117999,1,517.282491,517.282471,142.58.205 
> .8,24.85.1
> 38.30,udp, 
> 16386,41238,0,,64,,2500442,0,1317184,0,25723,0,38670.430,0.000,49.727,
> 0.000,0,0,229.97.122.203, v       ,0:16:cb:85:6b:be,0:11:88:5:5d: 
> 1d,->,16300.000
> 000,,INT,s[16]="......w..0......",,,,8551,,,0x0200,,0x82df,
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>

More information about the argus mailing list