racount status and its definition
Peter Van Epp
vanepp at sfu.ca
Wed Jun 21 10:49:41 EDT 2006
On Wed, Jun 21, 2006 at 03:38:14PM +0200, Robin Gruyters wrote:
> Hi Carter,
>
> Here is the output with argus-3 commands (racount() and racluster()).
> I have just pointed to the file which gives errors with argus-2.0.6
> (racount()).
>
> [...]
> $ racount -r /data2/argus/05/21/*; \
> racluster -R /data2/argus/05/21 -m srcid -s trans pkts
> racount records total_pkts src_pkts dst_pkts
> total_bytes src_bytes dst_bytes
> sum 13951 771479 284510 486969
> 303901576 42836384 261065192
> 13927 771479
> [...]
>
> Here is the argus-2.0.6 output:
>
> [...]
> $ racount -r /data2/argus/archive/2006/05/21/*
> ArgusWarning: racount[48517]: ArgusReadSocketStream: malformed argus
> record len 17793
>
> racount records total_pkts src_pkts dst_pkts
> total_bytes src_bytes dst_bytes
> sum 149250 1143266 566499 576767
> 355491645 72812173 282679472
> [...]
>
> Regards,
>
> Robin
>
>
A couple of debugging suggestions. I assume that there are many files
in /data2/argus/archive/2006/05/21/* so you could try them one at a time
through racount to isolate the error to a single file. Then try running that
file through ra and see if it errors (which should give you a time interval
of when the failure occurs). Then -t commands may let you reduce the file
to a couple of records which may be easier to get permission to release than
the whole file and/or at least able to us gdb to dump the argus record that
it gets which may tell Carter whats wrong.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list