rc.28 code on the server

Richard Bejtlich taosecurity at gmail.com
Wed Aug 30 05:21:23 EDT 2006 

On 8/29/06, Carter Bullard <carter at qosient.com> wrote:
> Hey Richard,   Hmmmm,
> Not sure what to think, as I see no bug.  Below is the result that I get
> using
> argus-clients-3.0.0.rc.28, reading argus data generated from your packet
> file
> and argus-3.0.0.rc.28, on both big-endian and little-endian machines,
> 32-bit
> and 64-bit intel, and PPC G5 (Linux RH, Fedora, MacOS X).
>
> I'm interested in the fact that your output has a different state output
> for the
> closing man record (STP for me, SHT for you).  Sure your running the
> latest code?
> Remember that argus and ra* programs append data to existing files (so we
> don't blow precious data away).  Maybe this is left over from a previous
> run?
>
>  ../bin/ra -r /tmp/argus.out - not host
> 192.168.0.10
>    StartTime        Flgs   Proto      SrcAddr        Sport   Dir
> DstAddr        Dport  SrcPkts  DstPkts     SrcBytes     DstBytes State
>  20:34:41.313092             arp       192.168.0.10          who
> 192.168.0.1               1        0           42            0   INT
>  20:34:41.313267             arp        192.168.0.1          who
> 192.168.0.10               1        0           60            0   INT
>  20:34:48.293810             arp        192.168.0.2          who
> 192.168.0.10               1        0           60            0   INT
>  20:34:48.293834             arp       192.168.0.10          who
> 192.168.0.2               1        0           42            0   INT
>  20:35:30.713581             arp       192.168.0.10          who
> 192.168.0.1               1        0           42            0   INT
>  20:35:30.713768             arp        192.168.0.1          who
> 192.168.0.10               1        0           60            0   INT
>  17:23:24.914126             man                  0
> 0                      584      1   153147    70842          584
> 57924676   STP
>
>
> The record that is getting mangled on your machine is coming out as this on
> all of my machines:
>
>  20:36:40.787045             tcp        192.168.0.2.4482      ->
> 192.168.0.10.bootps        1        0           54            0   REQ
>
> Carter
>

Hi Carter and everyone,

Ok, I just re-ran my syntax and got the results I should have:

orr:/usr/local/src/argus-3.0.0.rc.28/bin$ ./argus -r
/home/richard/dump.cap -w /home/richard/dump.cap.arg3
orr:/usr/local/src/argus-3.0.0.rc.28/bin$ cd
/usr/local/src/argus-clients-3.0.0.rc.28/bin/
orr:/usr/local/src/argus-clients-3.0.0.rc.28/bin$ ./ra -n -r
/home/richard/dump.cap.arg3 -- not host 192.168.0.10
    20:34:41.313092             arp       192.168.0.10          who
    192.168.0.1               1        0           42            0
INT
    20:34:41.313267             arp        192.168.0.1          who
   192.168.0.10               1        0           60            0
INT
    20:34:48.293810             arp        192.168.0.2          who
   192.168.0.10               1        0           60            0
INT
    20:34:48.293834             arp       192.168.0.10          who
    192.168.0.2               1        0           42            0
INT
    20:35:30.713581             arp       192.168.0.10          who
    192.168.0.1               1        0           42            0
INT
    20:35:30.713768             arp        192.168.0.1          who
   192.168.0.10               1        0           60            0
INT
    05:16:49.188487             man                  0      0
            584      1   153147    70842          584     57874852
STP

I am running rc.28, so I must have done something to create a
dump.cap.arg3 file that corrupted later results.

I was hoping it was a problem with me and not Argus!

Thank you,

Richard

More information about the argus mailing list