new rc.38 code available on the server

Carter Bullard carter at qosient.com
Thu Jan 25 10:50:13 EST 2007 

When you look at archived data with the new clients, are the addresses
backwards, or are they the same?  In other words, is it ra* or argus  
that
is generating the problem?

Carter

On Jan 25, 2007, at 9:14 AM, Robin Gruyters wrote:

> It looks like the order has changed. The IP addresses are backwords.
>
> 2.0.4.10 => 10.4.0.2
> 3.0.5.10 => 10.5.0.3
> 4.0.5.10 => 10.5.0.4
> etc...
>
> Regards,
>
> Robin
>
> Quoting Carter Bullard <carter at qosient.com>:
>
>> Hey Robin,
>> Hmmmmm, not sure what the data is suppose to look like?
>>
>> For your racluster() call, you have to have the 'proto' in flow model
>> definition
>> for the' dport' to have any meaning (needs to see that the proto   
>> field is
>> ip, and tcp or udp or icmp or whatever).
>>
>>     racluster -m saddr daddr proto dport -s  saddr daddr ....
>>
>> What is notably wrong with the output?
>> How are things on your side of the planet?
>>
>> Carter
>>
>>
>> On Jan 25, 2007, at 3:51 AM, Robin Gruyters wrote:
>>
>>> uuuh, don't know what has changed since the last release (37),  
>>> but   my output is completely f***ed up.
>>>
>>> [...]
>>> $ racluster -m saddr daddr dport -s saddr daddr dport sbytes  
>>> dbytes   -r sql.arg.bz2
>>>     SrcAddr            DstAddr        Dport     SrcBytes      
>>> DstBytes
>>>          2.0.4.10           4.0.5.10            28676799      
>>> 26842218
>>>          3.0.5.10           4.0.5.10          3106821685    
>>> 3393005959
>>>          4.0.5.10           5.0.5.10                   
>>> 60           66
>>>          4.0.5.10           5.0.5.10                 300           
>>> 330
>>>          4.0.5.10           5.0.5.10                1500          
>>> 1650
>>>          5.0.5.10           4.0.5.10            80051933      
>>> 97657330
>>> [...]
>>>
>>> Same goes for ra(1)
>>> [...]
>>> $ ra -nnr sql.arg.bz2 - 'ip'
>>>               StartTime    Flgs   Proto      SrcAddr          
>>> Sport    Dir      DstAddr        Dport  SrcPkts  DstPkts       
>>> SrcBytes      DstBytes State
>>> 07-01-20 01:00:08.217335               6             
>>> 5.0.5.10.50941     <?>           4.0.5.10.5432         10          
>>> 8         2339          2805   CON
>>> 07-01-20 01:00:15.507527               6             
>>> 5.0.5.10.50941     <?>           4.0.5.10.5432         14         
>>> 12         2424          2890   CON
>>> 07-01-20 01:00:13.430267               6             
>>> 3.0.5.10.59695     <?>           4.0.5.10.5432          4          
>>> 4          797          1244   CON
>>> [...]
>>>
>>> Regards,
>>>
>>> Robin Gruyters
>>> Network and Security Engineer
>>> Yirdis B.V.
>>> I: http://yirdis.com
>>> P: +31 (0)36 5300394
>>> F: +31 (0)36 5489119
>>>
>>>
>>> Quoting Carter Bullard <carter at qosient.com>:
>>>
>>>> Gentle people,
>>>> New code is on the server for testing.
>>>>
>>>>   ftp://qosient.com/dev/argus-3.0
>>>>
>>>> This fixes most of the issues on the list.  The things still  
>>>> left to
>>>> implement are:
>>>>   management record content verification/printing/etc....
>>>>   extend netflow support to version 7, 8
>>>>
>>>> Hope all is most excellent, and thanks for all the efforts!!!
>>>>
>>>> Carter
>>>
>>>
>>>
>
>
>

Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070125/fd831245/attachment.html>

More information about the argus mailing list