argus.rc.33 close but still no cigar :-)

Fri Nov 3 10:44:22 EST 2006

Gentle people,
This problem has been fixed and is in the new release.  Interesting
(but stupid) bug!!!

Carter

On Oct 28, 2006, at 11:00 PM, Peter Van Epp wrote:

> 	Well I finally got the flames low enough to get back to beating on
> rc.33. Once I figured out that Carter was suggesting removing the  
> correction
> factor from 2.0.6 (rather than 3 where I was trying to do it) the  
> counts are
> much better but there are still problems, possibly all related to  
> this one
> where argus from rc.33 generates no records for the icmp (tcpdump file
> attached):
>
> %tcpdump -r icmp.tcp -nn
> reading from file icmp.tcp, link-type EN10MB (Ethernet)
> 15:45:10.031334 IP 12.129.11.29 > 142.58.167.128: ICMP echo  
> request, id 21096, seq 64622, length 20
> 15:45:15.949924 IP 12.129.11.29 > 142.58.167.128: ICMP echo  
> request, id 21096, seq 22400, length 20
> 15:45:21.831270 IP 12.129.11.29 > 142.58.167.128: ICMP echo  
> request, id 21096, seq 37009, length 20
> 15:45:27.811654 IP 12.129.11.29 > 142.58.167.128: ICMP echo  
> request, id 21096, seq 5795, length 20
> 15:45:33.734136 IP 12.129.11.29 > 142.58.167.128: ICMP echo  
> request, id 21096, seq 28084, length 20
> 15:45:39.694556 IP 12.129.11.29 > 142.58.167.128: ICMP echo  
> request, id 21096, seq 56005, length 20
> 15:45:45.574912 IP 12.129.11.29 > 142.58.167.128: ICMP echo  
> request, id 21096, seq 6359, length 20
> 15:45:51.417515 IP 12.129.11.29 > 142.58.167.128: ICMP echo  
> request, id 21096, seq 14824, length 20
> 15:45:57.297864 IP 12.129.11.29 > 142.58.167.128: ICMP echo  
> request, id 21096, seq 26617, length 20
> 15:46:03.219249 IP 12.129.11.29 > 142.58.167.128: ICMP echo  
> request, id 21096, seq 48906, length 20
> 15:46:09.099901 IP 12.129.11.29 > 142.58.167.128: ICMP echo  
> request, id 21096, seq 65051, length 20
> 15:46:14.981449 IP 12.129.11.29 > 142.58.167.128: ICMP echo  
> request, id 21096, seq 13869, length 20
>
> %argus -r icmp.tcp -w icmp3.argus
> %argus_bpf -r icmp.tcp -w icmp2.argus
> %ra -r icmp2.argus -nn
> 28 Oct 06 20:06:16           man  229.97.122.203   
> v2.0                   1 0     0        0         0             
> 0           STA
> 28 Aug 06 15:45:10          icmp    12.129.11.29        ->   
> 142.58.167.128       1        0         60           0           ECO
> 28 Aug 06 15:45:15          icmp    12.129.11.29        ->   
> 142.58.167.128       1        0         60           0           ECO
> 28 Aug 06 15:45:21          icmp    12.129.11.29        ->   
> 142.58.167.128       1        0         60           0           ECO
> 28 Aug 06 15:45:27          icmp    12.129.11.29        ->   
> 142.58.167.128       1        0         60           0           ECO
> 28 Aug 06 15:45:33          icmp    12.129.11.29        ->   
> 142.58.167.128       1        0         60           0           ECO
> 28 Aug 06 15:45:39          icmp    12.129.11.29        ->   
> 142.58.167.128       1        0         60           0           ECO
> 28 Aug 06 15:45:45          icmp    12.129.11.29        ->   
> 142.58.167.128       1        0         60           0           ECO
> 28 Aug 06 15:45:51          icmp    12.129.11.29        ->   
> 142.58.167.128       1        0         60           0           ECO
> 28 Aug 06 15:45:57          icmp    12.129.11.29        ->   
> 142.58.167.128       1        0         60           0           ECO
> 28 Aug 06 15:46:09          icmp    12.129.11.29        ->   
> 142.58.167.128       1        0         60           0           ECO
> 28 Aug 06 15:46:03          icmp    12.129.11.29        ->   
> 142.58.167.128       1        0         60           0           ECO
> 28 Aug 06 15:46:14          icmp    12.129.11.29        ->   
> 142.58.167.128       1        0         60           0           ECO
> 28 Oct 06 20:06:16           man  229.97.122.203   
> v2.0                  13 0     12       0         720           
> 12          SHT
> %ra3 -r icmp2.argus -n
>    15:45:10.031334            icmp       12.129.11.29           - 
> >     142.58.167.128               1        0            
> 60            0   ECO
>    15:45:15.949924            icmp       12.129.11.29           - 
> >     142.58.167.128               1        0            
> 60            0   ECO
>    15:45:21.831270            icmp       12.129.11.29           - 
> >     142.58.167.128               1        0            
> 60            0   ECO
>    15:45:27.811654            icmp       12.129.11.29           - 
> >     142.58.167.128               1        0            
> 60            0   ECO
>    15:45:33.734136            icmp       12.129.11.29           - 
> >     142.58.167.128               1        0            
> 60            0   ECO
>    15:45:39.694556            icmp       12.129.11.29           - 
> >     142.58.167.128               1        0            
> 60            0   ECO
>    15:45:45.574912            icmp       12.129.11.29           - 
> >     142.58.167.128               1        0            
> 60            0   ECO
>    15:45:51.417515            icmp       12.129.11.29           - 
> >     142.58.167.128               1        0            
> 60            0   ECO
>    15:45:57.297864            icmp       12.129.11.29           - 
> >     142.58.167.128               1        0            
> 60            0   ECO
>    15:46:09.099901            icmp       12.129.11.29           - 
> >     142.58.167.128               1        0            
> 60            0   ECO
>    15:46:03.219249            icmp       12.129.11.29           - 
> >     142.58.167.128               1        0            
> 60            0   ECO
>    15:46:14.981449            icmp       12.129.11.29           - 
> >     142.58.167.128               1        0            
> 60            0   ECO
>    20:06:16.354938             man           33620040       
> 0                325312512 838861       12        0    325312512    
> 2415919230   SHT
> %ra -r icmp3.argus
> ArgusAlert: ra[45359]: ArgusReadConnection: not Argus-2.0 data stream.
>
> %ra3 -r icmp3.argus -n
>    20:06:03.413983             man                  0       
> 0                       29      1       12        1            
> 29      1461084   STP
> %
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>

Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20061103/9bba544a/attachment.html>