Argus duser field stays blank
carter at qosient.com
carter at qosient.com
Wed Aug 9 18:48:21 EDT 2006
Hey Karl,
We need to fix this problem, so if you have file that has a problem, and you don't mind sharing, I can use it to debug. If not I can walk you through a session with gdb, to find out where it is dying.
Hmmm, the '-d 128' is obselete, you should use '+suser:128'.
If you are not seeing duser data, are you sure you are observing return traffic? Are there dbyte counts?
Carter
Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-----Original Message-----
From: Karl Tatgenhorst <karlt at uchicago.edu>
Date: Wed, 09 Aug 2006 13:12:14
To:argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] Argus duser field stays blank
My new argus setup is pretty near production. Doing some initial
testing I did find a few odd behaviors. The first was that some ICMP
could trigger a segfault on the argus listener. We have excellent
coverage with flows and since ICMP rarely is interesting (in the payload
department) we opted to simply filter ICMP from argus, but I thought you
might like to know. The biggest thing for RA was that I usually do s
+user on read argus, I notice it is now split suser and duser, this
seems useful enough, however, when I do ra -d 128 -ns +duser I show no
payloads. Since I have 30,000 machines on my... test network I am sure
that I should see some payloads. Anyone have any ideas? Oh yeah, source
payloads show when I do + suser.
Thanks,
Karl
More information about the argus
mailing list