No ra() output with FBSD 6.2

Kevin & Leah Branch klkbranch at hotmail.com
Thu Dec 27 10:30:59 EST 2007 



From: klkbranch at hotmail.com
To: scott at xs4all.net
Subject: RE: [ARGUS] No ra() output with FBSD 6.2
Date: Thu, 27 Dec 2007 14:56:07 +0000








Scott,

I noticed the same issue recently, and it appears that the ra in argus-clients.3.0.0.rc.65 defaults to showing no data fields, so you just see blank lines.  Every one of those blank lines represent a real record though.  You can add the -s field-specifier parameter to your ra command to specify which fields to show and you'll start seeing stuff, like this:
    ra -r argus-data-file -s stime flgs proto saddr sport dir daddr dport pkts bytes state

The easiest thing for me though was to copy 
    ./support/Config/rarc
from the argus-clients-3.0.0.rc.65 tarball to the file
    ~/.rarc

Then ra will pull lots of things from that .rarc file including this
    RA_FIELD_SPECIFIER="stime flgs proto saddr sport dir daddr dport pkts bytes state"

Works for me.  I don't quite understand what the default of no fields is about, but it's easy to work around anyway.

Kevin


> From: scott at xs4all.net
> To: argus-info at lists.andrew.cmu.edu
> Date: Thu, 27 Dec 2007 14:36:54 +0100
> Subject: [ARGUS] No ra() output with FBSD 6.2
> 
> Hi,
> 
> One of my argus boxes was recently "upgraded" from FreeBSD 4.x to  
> 6.2.  In the process, my argus2 install finally died and I took the  
> chance to upgrade this last box to argus3...it's my only FBSD box  
> running Argus, so this problem may be unique to me, or not.
> 
> argus() itself is logging packets just fine.  A "strings" on the argus  
> output file shows data I'd expect to see.  However, ra() fails to  
> generate anything useful, only spewing tens of thousands of what  
> appear to be completely *empty* lines.
> 
> ra isn't linked to anything weird:
> 
> /usr/local/bin/ra:
> 	libm.so.4 => /lib/libm.so.4 (0x480d4000)
> 	libreadline.so.6 => /lib/libreadline.so.6 (0x480ea000)
> 	libncurses.so.6 => /lib/libncurses.so.6 (0x48117000)
> 	libpthread.so.2 => /lib/libpthread.so.2 (0x48156000)
> 	libc.so.6 => /lib/libc.so.6 (0x4817b000)
> 
> And reports:
> 
> Ra Version 3.0.0.rc.65
> 
> Yet the very same "ra -n -r argus_data" that works on my linux boxes  
> spews nothing but whitespace on this box.
> 
> No rarc involved, ktrace looks normal, and even the kdump output seems  
> to see the same data that "strings" does..
> 
> I must be missing something trivial...ideas?
> 
> Thanks,
> 
> Scott
> 

Get the power of Windows + Web with the new Windows Live. Get it now!

_________________________________________________________________
Don't get caught with egg on your face. Play Chicktionary!
http://club.live.com/chicktionary.aspx?icid=chick_wlhmtextlink1_dec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071227/8c0f9efb/attachment.html>

More information about the argus mailing list