rc.28 code on the server
carter at qosient.com
carter at qosient.com
Wed Aug 30 06:49:52 EDT 2006
Hey Richard,
I saw the type of problem you experienced with rc.2 or 3 where the record alignment got screwed up on certain os types, so I had some ideas if the problem persisted. VERY glad that it went away!!!!
Carter
Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-----Original Message-----
From: "Richard Bejtlich" <taosecurity at gmail.com>
Date: Wed, 30 Aug 2006 05:21:23
To:"Carter Bullard" <carter at qosient.com>
Cc:Argus <argus-info at lists.andrew.cmu.edu>
Subject: Re: [ARGUS] rc.28 code on the server
On 8/29/06, Carter Bullard <carter at qosient.com> wrote:
> Hey Richard, Hmmmm,
> Not sure what to think, as I see no bug. Below is the result that I get
> using
> argus-clients-3.0.0.rc.28, reading argus data generated from your packet
> file
> and argus-3.0.0.rc.28, on both big-endian and little-endian machines,
> 32-bit
> and 64-bit intel, and PPC G5 (Linux RH, Fedora, MacOS X).
>
> I'm interested in the fact that your output has a different state output
> for the
> closing man record (STP for me, SHT for you). Sure your running the
> latest code?
> Remember that argus and ra* programs append data to existing files (so we
> don't blow precious data away). Maybe this is left over from a previous
> run?
>
> ../bin/ra -r /tmp/argus.out - not host
> 192.168.0.10
> StartTime Flgs Proto SrcAddr Sport Dir
> DstAddr Dport SrcPkts DstPkts SrcBytes DstBytes State
> 20:34:41.313092 arp 192.168.0.10 who
> 192.168.0.1 1 0 42 0 INT
> 20:34:41.313267 arp 192.168.0.1 who
> 192.168.0.10 1 0 60 0 INT
> 20:34:48.293810 arp 192.168.0.2 who
> 192.168.0.10 1 0 60 0 INT
> 20:34:48.293834 arp 192.168.0.10 who
> 192.168.0.2 1 0 42 0 INT
> 20:35:30.713581 arp 192.168.0.10 who
> 192.168.0.1 1 0 42 0 INT
> 20:35:30.713768 arp 192.168.0.1 who
> 192.168.0.10 1 0 60 0 INT
> 17:23:24.914126 man 0
> 0 584 1 153147 70842 584
> 57924676 STP
>
>
> The record that is getting mangled on your machine is coming out as this on
> all of my machines:
>
> 20:36:40.787045 tcp 192.168.0.2.4482 ->
> 192.168.0.10.bootps 1 0 54 0 REQ
>
> Carter
>
Hi Carter and everyone,
Ok, I just re-ran my syntax and got the results I should have:
orr:/usr/local/src/argus-3.0.0.rc.28/bin$ ./argus -r
/home/richard/dump.cap -w /home/richard/dump.cap.arg3
orr:/usr/local/src/argus-3.0.0.rc.28/bin$ cd
/usr/local/src/argus-clients-3.0.0.rc.28/bin/
orr:/usr/local/src/argus-clients-3.0.0.rc.28/bin$ ./ra -n -r
/home/richard/dump.cap.arg3 -- not host 192.168.0.10
20:34:41.313092 arp 192.168.0.10 who
192.168.0.1 1 0 42 0
INT
20:34:41.313267 arp 192.168.0.1 who
192.168.0.10 1 0 60 0
INT
20:34:48.293810 arp 192.168.0.2 who
192.168.0.10 1 0 60 0
INT
20:34:48.293834 arp 192.168.0.10 who
192.168.0.2 1 0 42 0
INT
20:35:30.713581 arp 192.168.0.10 who
192.168.0.1 1 0 42 0
INT
20:35:30.713768 arp 192.168.0.1 who
192.168.0.10 1 0 60 0
INT
05:16:49.188487 man 0 0
584 1 153147 70842 584 57874852
STP
I am running rc.28, so I must have done something to create a
dump.cap.arg3 file that corrupted later results.
I was hoping it was a problem with me and not Argus!
Thank you,
Richard
More information about the argus
mailing list