more 2.0.6 conversion bugs in rc.27
Peter Van Epp
vanepp at sfu.ca
Mon Aug 28 15:35:45 EDT 2006
On Mon, Aug 28, 2006 at 03:02:34PM -0400, Carter Bullard wrote:
> Hey Peter,
> All Udp traffic has src and dst port numbers, so your mods to v2.x
> are incorrect.
> But 65525 is not a good port number, so that may be an issue.
>
> Argus-3.0.rc.27 fixes the argus data in the second problem (this is
> derived from
> tcptest1.tcp, which you sent earlier) so that the windows and
> direction are all
> correct. The original argus-2.x output for this data is flawed, but
> I've corrected
> argus-clients-3.0 so that it does the right thing with window size
> reporting, i.e.
> if the packet count is zero, don't print a zero.
>
> Carter
>
Although I'll have another check, this was clients.rc.27 and the problem
still appears (although as you say the window one could be a 2.0.6 bug). As
well early indication is that there is a count problem too for a small number
of records. At this point it isn't clear where the bug is though.
2,0.6 on my production server on an hour log 2.0.6 file:
199.60.6.0 4768 0 4768
the same on my test server (because the first time my modified 2.0.6 ra bit me):
199.60.6.0 4768 0 4768
the same 2.0.6 file being processed by ra 3.0 from rc.27:
199.60.6.0 286 0 286
there are about 6 more out of several thousand addresses that exhibit similar
problems. I'm about to try the 3.0 captured version of this same hour and
see what that does. Then I will probably switch to an hour of captured tcpdump
data so the input to both argi is the same (cron differences between the
machines mean the live captures probably won't be identical).
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list