argus.rc.33 close but still no cigar :-)
Peter Van Epp
vanepp at sfu.ca
Sat Oct 28 23:00:20 EDT 2006
Well I finally got the flames low enough to get back to beating on
rc.33. Once I figured out that Carter was suggesting removing the correction
factor from 2.0.6 (rather than 3 where I was trying to do it) the counts are
much better but there are still problems, possibly all related to this one
where argus from rc.33 generates no records for the icmp (tcpdump file
attached):
%tcpdump -r icmp.tcp -nn
reading from file icmp.tcp, link-type EN10MB (Ethernet)
15:45:10.031334 IP 12.129.11.29 > 142.58.167.128: ICMP echo request, id 21096, seq 64622, length 20
15:45:15.949924 IP 12.129.11.29 > 142.58.167.128: ICMP echo request, id 21096, seq 22400, length 20
15:45:21.831270 IP 12.129.11.29 > 142.58.167.128: ICMP echo request, id 21096, seq 37009, length 20
15:45:27.811654 IP 12.129.11.29 > 142.58.167.128: ICMP echo request, id 21096, seq 5795, length 20
15:45:33.734136 IP 12.129.11.29 > 142.58.167.128: ICMP echo request, id 21096, seq 28084, length 20
15:45:39.694556 IP 12.129.11.29 > 142.58.167.128: ICMP echo request, id 21096, seq 56005, length 20
15:45:45.574912 IP 12.129.11.29 > 142.58.167.128: ICMP echo request, id 21096, seq 6359, length 20
15:45:51.417515 IP 12.129.11.29 > 142.58.167.128: ICMP echo request, id 21096, seq 14824, length 20
15:45:57.297864 IP 12.129.11.29 > 142.58.167.128: ICMP echo request, id 21096, seq 26617, length 20
15:46:03.219249 IP 12.129.11.29 > 142.58.167.128: ICMP echo request, id 21096, seq 48906, length 20
15:46:09.099901 IP 12.129.11.29 > 142.58.167.128: ICMP echo request, id 21096, seq 65051, length 20
15:46:14.981449 IP 12.129.11.29 > 142.58.167.128: ICMP echo request, id 21096, seq 13869, length 20
%argus -r icmp.tcp -w icmp3.argus
%argus_bpf -r icmp.tcp -w icmp2.argus
%ra -r icmp2.argus -nn
28 Oct 06 20:06:16 man 229.97.122.203 v2.0 1 0 0 0 0 0 STA
28 Aug 06 15:45:10 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
28 Aug 06 15:45:15 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
28 Aug 06 15:45:21 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
28 Aug 06 15:45:27 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
28 Aug 06 15:45:33 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
28 Aug 06 15:45:39 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
28 Aug 06 15:45:45 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
28 Aug 06 15:45:51 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
28 Aug 06 15:45:57 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
28 Aug 06 15:46:09 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
28 Aug 06 15:46:03 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
28 Aug 06 15:46:14 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
28 Oct 06 20:06:16 man 229.97.122.203 v2.0 13 0 12 0 720 12 SHT
%ra3 -r icmp2.argus -n
15:45:10.031334 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
15:45:15.949924 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
15:45:21.831270 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
15:45:27.811654 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
15:45:33.734136 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
15:45:39.694556 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
15:45:45.574912 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
15:45:51.417515 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
15:45:57.297864 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
15:46:09.099901 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
15:46:03.219249 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
15:46:14.981449 icmp 12.129.11.29 -> 142.58.167.128 1 0 60 0 ECO
20:06:16.354938 man 33620040 0 325312512 838861 12 0 325312512 2415919230 SHT
%ra -r icmp3.argus
ArgusAlert: ra[45359]: ArgusReadConnection: not Argus-2.0 data stream.
%ra3 -r icmp3.argus -n
20:06:03.413983 man 0 0 29 1 12 1 29 1461084 STP
%
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list