Apparant bug in rc.37 and ra man page fix
Peter Van Epp
vanepp at sfu.ca
Fri Jan 12 10:48:01 EST 2007
On Fri, Jan 12, 2007 at 10:08:21AM -0500, Carter Bullard wrote:
> Hey Peter,
> You need to provide a complete CIDR address for network directives.
> I'll try to make it so that it bombs if it doesn't get the right format.
> Try this:
> ra -r bb_argus -n -- net 142.58.71.0/24
>
> I think you are only going to match with a broadcast address with
> your query, so in some ways, it could make sense, but of course
> its wrong ;o)
>
> Carter
>
Yep the Cidr version works correctly, but that appears to preclude
odd things like this (that works on 2.0.6)
ra -r /usr/local/argus/com_argus.archive/2007/01/12/com_argus.2007.01.12.06.00.00.0.gz -nn net 142.58.0.254 mask 255.255.0.255
12 Jan 07 05:59:38 s tcp 81.220.150.35.3369 <-> 142.58.165.254.445 3 0 186 0 TIM
12 Jan 07 06:00:11 udp 86.34.241.88.11889 -> 142.58.189.254.137 1 0 92 0 INT
12 Jan 07 06:00:16 udp 100.151.144.104.30476 -> 142.58.144.254.1026 1 0 526 0 INT
,,,
which selects traffic to all of our routers (which are on the .254 address
of each subnet) which is sometimes useful.
While I'm here we have just built a 2.6.18 Linux kernel with the
PF-RING code installed and so far it looks more stable than the previous
versions. It had been going out sideways somewhere and completely hanging the
machine (no console no nothing, power cycle time!) so if this happy state of
affairs continues I should be able to get 3.0 running in parallel with my
current 2.06 sensor on the regen taps on our border. If you are using PF-RING
this may be worth a look (although there are reports of packet corruption on
the mailing list too).
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list