new rc.38 code available on the server

Carter Bullard carter at qosient.com
Thu Jan 25 09:09:13 EST 2007 

Hey Robin,
Hmmmmm, not sure what the data is suppose to look like?

For your racluster() call, you have to have the 'proto' in flow model  
definition
for the' dport' to have any meaning (needs to see that the proto  
field is
ip, and tcp or udp or icmp or whatever).

     racluster -m saddr daddr proto dport -s  saddr daddr ....

What is notably wrong with the output?
How are things on your side of the planet?

Carter


On Jan 25, 2007, at 3:51 AM, Robin Gruyters wrote:

> uuuh, don't know what has changed since the last release (37), but  
> my output is completely f***ed up.
>
> [...]
> $ racluster -m saddr daddr dport -s saddr daddr dport sbytes dbytes  
> -r sql.arg.bz2
>      SrcAddr            DstAddr        Dport     SrcBytes     DstBytes
>           2.0.4.10           4.0.5.10            28676799     26842218
>           3.0.5.10           4.0.5.10          3106821685   3393005959
>           4.0.5.10           5.0.5.10                  60           66
>           4.0.5.10           5.0.5.10                 300          330
>           4.0.5.10           5.0.5.10                1500         1650
>           5.0.5.10           4.0.5.10            80051933     97657330
> [...]
>
> Same goes for ra(1)
> [...]
> $ ra -nnr sql.arg.bz2 - 'ip'
>                StartTime    Flgs   Proto      SrcAddr         
> Sport   Dir      DstAddr        Dport  SrcPkts  DstPkts      
> SrcBytes     DstBytes State
> 07-01-20 01:00:08.217335               6            
> 5.0.5.10.50941    <?>           4.0.5.10.5432         10         
> 8         2339         2805   CON
> 07-01-20 01:00:15.507527               6            
> 5.0.5.10.50941    <?>           4.0.5.10.5432         14        
> 12         2424         2890   CON
> 07-01-20 01:00:13.430267               6            
> 3.0.5.10.59695    <?>           4.0.5.10.5432          4         
> 4          797         1244   CON
> [...]
>
> Regards,
>
> Robin Gruyters
> Network and Security Engineer
> Yirdis B.V.
> I: http://yirdis.com
> P: +31 (0)36 5300394
> F: +31 (0)36 5489119
>
>
> Quoting Carter Bullard <carter at qosient.com>:
>
>> Gentle people,
>> New code is on the server for testing.
>>
>>    ftp://qosient.com/dev/argus-3.0
>>
>> This fixes most of the issues on the list.  The things still left to
>> implement are:
>>    management record content verification/printing/etc....
>>    extend netflow support to version 7, 8
>>
>> Hope all is most excellent, and thanks for all the efforts!!!
>>
>> Carter
>
>
>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070125/c246d31f/attachment.html>

More information about the argus mailing list