Argus duser field stays blank

Peter Van Epp vanepp at sfu.ca
Wed Aug 9 17:58:49 EDT 2006 

On Wed, Aug 09, 2006 at 01:12:14PM -0500, Karl Tatgenhorst wrote:
> 
> 
>    My new argus setup is pretty near production. Doing some initial
> testing I did find a few odd behaviors. The first was that some ICMP
> could trigger a segfault on the argus listener. We have excellent
> coverage with flows and since ICMP rarely is interesting (in the payload
> department) we opted to simply filter ICMP from argus, but I thought you
> might like to know. The biggest thing for RA was that I usually do s
> +user on read argus, I notice it is now split suser and duser, this
> seems useful enough, however, when I do ra -d 128 -ns +duser I show no
> payloads. Since I have 30,000 machines on my... test network I am sure
> that I should see some payloads. Anyone have any ideas? Oh yeah, source
> payloads show when I do + suser.
> 
> Thanks,
> 
> Karl

	I suspect we would be most interested in a tcpdump of the icmp if you
can catch and release one (directly to Carter if you don't want to do the 
list) that segfaults so it can get fixed. I now have a copy of 3.0 in parallel 
with my production 2.0.6 server on the regen taps downtown (which unlike the 
test one up here sees all the icmp coming in thats otherwise blocked at the 
border) since about last Friday without problem as far as I know. 
	As to the user data problem that sounds like a bug in the option 
parsing code with the +, I know that both sides display with this config 
file:

RA_PRINT_LABELS=0
RA_FIELD_DELIMITER=','
RA_FIELD_SPECIFIER=stime ltime trans dur avgdur saddr daddr proto sport dport stos dtos sttl dttl sbytes dbytes spkts dpkts srate drate sload dload sloss dloss srcid flgs smac dmac dir sjit djit state suser duser swin dwin seq smpls dmpls svlan dvlan sipid dipid
RA_PRINT_NAMES=proto
RA_TIME_FORMAT="%s"
RA_PRINT_DURATION=no
RA_PRINT_LASTIME=yes

	so creating a config file that specifies all the output fields you
want (at one point I had the default list in the man page but I think it fell
out again at some revision) should do the trick in the interrum. 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list