rc.37 apparant icmp bug
Carter Bullard
carter at qosient.com
Wed Jan 24 23:09:05 EST 2007
Hey Peter,
If you could get a packet capture that would be great!!!!
If the ethernet address matrix is not the same for both packets, we may
decide to zero out the addresses. That is if the record was generated
by clustering two uni-directional flows using a program like
racluster(). The merging logic, if its non-preserving, will zero out
fields that don't match. But if this is from argus, the probe should
give
us the two ethernet addresses from the first packet.
It maybe that the ethernet addresses are in the record, but the client
is not processing them correctly, so if you can send just the one
errant record, that may be all that is needed to fix the problem.
Carter
On Jan 24, 2007, at 10:03 PM, Peter Van Epp wrote:
> Looks like Mac addresses aren't being captured (or perhaps only not
> being displayed) correctly for icmp:
>
> 18:00:01.578744 v udp 142.58.207.192.35599 <-
> > 142.58.103.1.53 6 6 486
> 1098 CON 0:d:56:fd:f1:70 0:11:88:5:5d:1d
> 18:11:24.511852 v s tcp 142.58.6.163.4229 -
> > 142.58.207.192.445 3 3 198
> 192 RST 0:11:88:5:5d:1d 0:d:56:fd:f1:70
> 18:38:11.063662 v icmp 199.60.7.131 <-
> > 142.58.207.192 6 6 468
> 468 ECO 0:0:0:0:0:0 0:0:0:0:0:0
>
>
> I'll try and grab a test tcpdump file tomorrow.
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
>
More information about the argus
mailing list