problem with to read rasplit -w

Wed Aug 26 16:02:14 EDT 2009

Hey Jean-Marc,
Hmmmm, I see what the problem is and I have a patch, but I don't see
how it could happen, yet.  The tag that tells us what version of argus
we're reading is not in network order, its in host order.  The rest of  
the
file is fine.   The patch below should allow you to read any
files in your archive that are corrupt.   Send mail after you try it.

So just a few questions.

Is it an arbitrary hourly file in the directory that is unreadable, or  
always
the second one, or every other one?

The way that most people would generate this archive is to have radium()
read the netflow records, and then have rasplit() attach to the radium.
Did you try that at any time and get different results?  If not, don't  
worry,
your method should work fine.

Carter

------ start included patch -------
==== //depot/argus/clients/common/argus_util.c#174 - /home/carter/ 
argus/clients/common/argus_util.c ====
19003c19003,19004
<                      if (argus.argus_mar.argusid ==  
ntohl(ARGUS_COOKIE)) {
---
 >                      if ((argus.argus_mar.argusid ==  
ntohl(ARGUS_COOKIE)) ||
 >                          (argus.argus_mar.argusid ==        
ARGUS_COOKIE)) {

------end included patch ------

On Aug 26, 2009, at 11:35 AM, jean-marc pouchoulon wrote:

>
>
> 2009/8/26 Carter Bullard <carter at qosient.com>
> Hey Jean-Marc,
>
> hello carter,
>
> If you can share an argus data file that can't be read, that will  
> help a lot!!
> You can email directly to me, or upload to ftp://qosient.com/incoming.
>
> Even there is nothing secret in the flow  , thanks a lot to delete  
> the file after you have a look to it.
> I created a small one minute extract , hope it will supply any  
> informations that you need.
>
>
> Can you send the command line options that you are using with  
> rasplit()?
>
>
>
>  /bin/su - argus -c '/usr/local/bin/rasplit -C IPaddr:5661 -P 5662 - 
> M time 60m -d -n -w /var/argus/%Y/%m/%d/argus_%H:%M:%S'
>
> -P is not used anymore I suppose ?
> I tried also without this option.
>
>
> There was a serious bug in rasplit() a few months ago.  Although the  
> bug
> was unrelated to this type of behavior,  do you remember what  
> version of
> rasplit() generated the corrupt files?
>
> rasplit -h
> Rasplit Version 3.0.2.beta.12
> usage: rasplit
>
>  thanks a lot for your help
>
> jean-marc
> <argus_moi17%3A14%3A00>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090826/e27a9652/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090826/e27a9652/attachment.bin>