Argus duser field stays blank
Carter Bullard
carter at qosient.com
Thu Aug 10 13:24:22 EDT 2006
Hey Karl,
Peter is working on v2.x -> v3.0 conversion, so he's looking at
every field.
The fields that are specified in the ./support/Config/rarc is the
'standard' list. I
think the easiest thing to do is to do a tcpdump on your argus probe,
capturing
from the interface specified in your argus.conf file, for, say port
80, for a few
minutes, and then lets run argus against that packet file, to see if
you're
getting return packets on your capture interface.
Looking through your few records, I'd say you're not getting the
return traffic.
Carter
On Aug 10, 2006, at 1:07 PM, Karl Tatgenhorst wrote:
> Peter,
>
> In regards to the ra.conf file. I tried using the options you
> provided and am wondering, is this the kind of output you are used to
> using or is something wrong here?
>
> 1155229178.329136,1155229178.463428,1,0.134292,0.134292,128.135.119.14
> 2,69.245.81.19,6,443,1313,0,,61,,1029,0,7,0,61299.254,0.000,52.125,0.0
> 00,0,0,0.0.0.0, v
> ,,,->,,,FIN,s[16]="....J...F..D.e.5",,
> 49011,0,92,,,0x0181,,0xa372,,
> 1155229178.330134,1155229178.494035,1,0.163901,0.163901,128.135.97.211
> ,
> 63.215.195.155,6,2150,80,0,,126,,1144,0,6,0,55838.586,0.000,36.607,0.0
> 00,0,0,0.0.0.0, v
> ,,,->,,,FIN,s[16]="GET /banners/Cli",,
> 63892,0,93,,,0x0181,,0x8674,,
> 1155229178.330384,1155229178.330384,1,0.000000,0.000000,128.135.211.30
> ,
> 66.155.227.130,6,53,80,0,,43,,58,0,1,0,0.000,0.000,0.000,0.000,0,0,0.0
> .0.0, v ,,,?>,,,RST,,,0,0,94,,,0x0181,,0x495a,,
> 1155229178.331134,1155229178.331134,1,0.000000,0.000000,128.135.181.28
> ,
> 66.150.161.56,6,49524,25,0,,61,,78,0,1,0,0.000,0.000,0.000,0.000,0,0,0
> .0.0.0, v ,,,->,,,REQ,,,5840,0,95,,,0x0181,,0xd3b3,,
>
>
> To my eyes that is hard to use, I can figure out most of what is
> there
> but I feel that the output should be a little nicer for us humans.
> Also,
> 16 is the largest dest data I can find.
>
> Any ideas?
>
> Thanks,
>
> Karl
>
> BTW, I am testing with the current (rc.24) that was just put up.
>
> On Wed, 2006-08-09 at 14:58 -0700, Peter Van Epp wrote:
>> On Wed, Aug 09, 2006 at 01:12:14PM -0500, Karl Tatgenhorst wrote:
>>>
>>>
>>> My new argus setup is pretty near production. Doing some initial
>>> testing I did find a few odd behaviors. The first was that some ICMP
>>> could trigger a segfault on the argus listener. We have excellent
>>> coverage with flows and since ICMP rarely is interesting (in the
>>> payload
>>> department) we opted to simply filter ICMP from argus, but I
>>> thought you
>>> might like to know. The biggest thing for RA was that I usually do s
>>> +user on read argus, I notice it is now split suser and duser, this
>>> seems useful enough, however, when I do ra -d 128 -ns +duser I
>>> show no
>>> payloads. Since I have 30,000 machines on my... test network I am
>>> sure
>>> that I should see some payloads. Anyone have any ideas? Oh yeah,
>>> source
>>> payloads show when I do + suser.
>>>
>>> Thanks,
>>>
>>> Karl
>>
>> I suspect we would be most interested in a tcpdump of the icmp if
>> you
>> can catch and release one (directly to Carter if you don't want to
>> do the
>> list) that segfaults so it can get fixed. I now have a copy of 3.0
>> in parallel
>> with my production 2.0.6 server on the regen taps downtown (which
>> unlike the
>> test one up here sees all the icmp coming in thats otherwise
>> blocked at the
>> border) since about last Friday without problem as far as I know.
>> As to the user data problem that sounds like a bug in the option
>> parsing code with the +, I know that both sides display with this
>> config
>> file:
>>
>> RA_PRINT_LABELS=0
>> RA_FIELD_DELIMITER=','
>> RA_FIELD_SPECIFIER=stime ltime trans dur avgdur saddr daddr proto
>> sport dport stos dtos sttl dttl sbytes dbytes spkts dpkts srate
>> drate sload dload sloss dloss srcid flgs smac dmac dir sjit djit
>> state suser duser swin dwin seq smpls dmpls svlan dvlan sipid dipid
>> RA_PRINT_NAMES=proto
>> RA_TIME_FORMAT="%s"
>> RA_PRINT_DURATION=no
>> RA_PRINT_LASTIME=yes
>>
>> so creating a config file that specifies all the output fields you
>> want (at one point I had the default list in the man page but I
>> think it fell
>> out again at some revision) should do the trick in the interrum.
>>
>> Peter Van Epp / Operations and Technical Support
>> Simon Fraser University, Burnaby, B.C. Canada
>
>
Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20060810/11bcbd56/attachment.html>
More information about the argus
mailing list