Argus duser field stays blank

Karl Tatgenhorst karlt at uchicago.edu
Thu Aug 10 13:07:15 EDT 2006 

Peter,

   In regards to the ra.conf file. I tried using the options you
provided and am wondering, is this the kind of output you are used to
using or is something wrong here?

1155229178.329136,1155229178.463428,1,0.134292,0.134292,128.135.119.142,69.245.81.19,6,443,1313,0,,61,,1029,0,7,0,61299.254,0.000,52.125,0.000,0,0,0.0.0.0, v
    ,,,->,,,FIN,s[16]="....J...F..D.e.5",,49011,0,92,,,0x0181,,0xa372,,
1155229178.330134,1155229178.494035,1,0.163901,0.163901,128.135.97.211,63.215.195.155,6,2150,80,0,,126,,1144,0,6,0,55838.586,0.000,36.607,0.000,0,0,0.0.0.0, v
     ,,,->,,,FIN,s[16]="GET /banners/Cli",,63892,0,93,,,0x0181,,0x8674,,
1155229178.330384,1155229178.330384,1,0.000000,0.000000,128.135.211.30,66.155.227.130,6,53,80,0,,43,,58,0,1,0,0.000,0.000,0.000,0.000,0,0,0.0.0.0, v       ,,,?>,,,RST,,,0,0,94,,,0x0181,,0x495a,,
1155229178.331134,1155229178.331134,1,0.000000,0.000000,128.135.181.28,66.150.161.56,6,49524,25,0,,61,,78,0,1,0,0.000,0.000,0.000,0.000,0,0,0.0.0.0, v       ,,,->,,,REQ,,,5840,0,95,,,0x0181,,0xd3b3,,


 To my eyes that is hard to use, I can figure out most of what is there
but I feel that the output should be a little nicer for us humans. Also,
16 is the largest dest data I can find.

  Any ideas?

Thanks,

Karl

BTW, I am testing with the current (rc.24) that was just put up.

On Wed, 2006-08-09 at 14:58 -0700, Peter Van Epp wrote:
> On Wed, Aug 09, 2006 at 01:12:14PM -0500, Karl Tatgenhorst wrote:
> > 
> > 
> >    My new argus setup is pretty near production. Doing some initial
> > testing I did find a few odd behaviors. The first was that some ICMP
> > could trigger a segfault on the argus listener. We have excellent
> > coverage with flows and since ICMP rarely is interesting (in the payload
> > department) we opted to simply filter ICMP from argus, but I thought you
> > might like to know. The biggest thing for RA was that I usually do s
> > +user on read argus, I notice it is now split suser and duser, this
> > seems useful enough, however, when I do ra -d 128 -ns +duser I show no
> > payloads. Since I have 30,000 machines on my... test network I am sure
> > that I should see some payloads. Anyone have any ideas? Oh yeah, source
> > payloads show when I do + suser.
> > 
> > Thanks,
> > 
> > Karl
> 
> 	I suspect we would be most interested in a tcpdump of the icmp if you
> can catch and release one (directly to Carter if you don't want to do the 
> list) that segfaults so it can get fixed. I now have a copy of 3.0 in parallel 
> with my production 2.0.6 server on the regen taps downtown (which unlike the 
> test one up here sees all the icmp coming in thats otherwise blocked at the 
> border) since about last Friday without problem as far as I know. 
> 	As to the user data problem that sounds like a bug in the option 
> parsing code with the +, I know that both sides display with this config 
> file:
> 
> RA_PRINT_LABELS=0
> RA_FIELD_DELIMITER=','
> RA_FIELD_SPECIFIER=stime ltime trans dur avgdur saddr daddr proto sport dport stos dtos sttl dttl sbytes dbytes spkts dpkts srate drate sload dload sloss dloss srcid flgs smac dmac dir sjit djit state suser duser swin dwin seq smpls dmpls svlan dvlan sipid dipid
> RA_PRINT_NAMES=proto
> RA_TIME_FORMAT="%s"
> RA_PRINT_DURATION=no
> RA_PRINT_LASTIME=yes
> 
> 	so creating a config file that specifies all the output fields you
> want (at one point I had the default list in the man page but I think it fell
> out again at some revision) should do the trick in the interrum. 
> 
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list