new rc.38 code available on the server

Robin Gruyters r.gruyters at yirdis.nl
Thu Jan 25 09:14:41 EST 2007 

It looks like the order has changed. The IP addresses are backwords.

2.0.4.10 => 10.4.0.2
3.0.5.10 => 10.5.0.3
4.0.5.10 => 10.5.0.4
etc...

Regards,

Robin

Quoting Carter Bullard <carter at qosient.com>:

> Hey Robin,
> Hmmmmm, not sure what the data is suppose to look like?
>
> For your racluster() call, you have to have the 'proto' in flow model
> definition
> for the' dport' to have any meaning (needs to see that the proto  field is
> ip, and tcp or udp or icmp or whatever).
>
>     racluster -m saddr daddr proto dport -s  saddr daddr ....
>
> What is notably wrong with the output?
> How are things on your side of the planet?
>
> Carter
>
>
> On Jan 25, 2007, at 3:51 AM, Robin Gruyters wrote:
>
>> uuuh, don't know what has changed since the last release (37), but   
>>  my output is completely f***ed up.
>>
>> [...]
>> $ racluster -m saddr daddr dport -s saddr daddr dport sbytes dbytes  
>>   -r sql.arg.bz2
>>     SrcAddr            DstAddr        Dport     SrcBytes     DstBytes
>>          2.0.4.10           4.0.5.10            28676799     26842218
>>          3.0.5.10           4.0.5.10          3106821685   3393005959
>>          4.0.5.10           5.0.5.10                  60           66
>>          4.0.5.10           5.0.5.10                 300          330
>>          4.0.5.10           5.0.5.10                1500         1650
>>          5.0.5.10           4.0.5.10            80051933     97657330
>> [...]
>>
>> Same goes for ra(1)
>> [...]
>> $ ra -nnr sql.arg.bz2 - 'ip'
>>               StartTime    Flgs   Proto      SrcAddr         Sport   
>>   Dir      DstAddr        Dport  SrcPkts  DstPkts      SrcBytes      
>>  DstBytes State
>> 07-01-20 01:00:08.217335               6            5.0.5.10.50941   
>>    <?>           4.0.5.10.5432         10         8         2339     
>>       2805   CON
>> 07-01-20 01:00:15.507527               6            5.0.5.10.50941   
>>    <?>           4.0.5.10.5432         14        12         2424     
>>       2890   CON
>> 07-01-20 01:00:13.430267               6            3.0.5.10.59695   
>>    <?>           4.0.5.10.5432          4         4          797     
>>       1244   CON
>> [...]
>>
>> Regards,
>>
>> Robin Gruyters
>> Network and Security Engineer
>> Yirdis B.V.
>> I: http://yirdis.com
>> P: +31 (0)36 5300394
>> F: +31 (0)36 5489119
>>
>>
>> Quoting Carter Bullard <carter at qosient.com>:
>>
>>> Gentle people,
>>> New code is on the server for testing.
>>>
>>>   ftp://qosient.com/dev/argus-3.0
>>>
>>> This fixes most of the issues on the list.  The things still left to
>>> implement are:
>>>   management record content verification/printing/etc....
>>>   extend netflow support to version 7, 8
>>>
>>> Hope all is most excellent, and thanks for all the efforts!!!
>>>
>>> Carter
>>
>>
>>

More information about the argus mailing list