racluster segv reading argus v2 file
Carter Bullard
carter at qosient.com
Wed Mar 11 17:35:15 EDT 2009
The blank lines could be protocols that we don't have support for
(can't decode the address so it prints blanks). It could be a
non-standard protocol number that I missed in the port, or , its
a mangled record that we're having trouble decoding.
Argus-2.x tracks a lot of flows that aren't IP flows, so they could
be good
ethernet flows. The proto field should be the ethertype field, but a
number
of 156 is not a valid ethertype (it would be the length of an 802.3
packet).
Any chance I can get the file to fix?
Carter
On Mar 11, 2009, at 4:54 PM, Mike Iglesias wrote:
> Carter Bullard wrote:
>> Hey Mike,
>> I see that you're getting records from your 2.x stream that don't
>> have
>> a flow DSR in them (segfault in ArgusProcessServiceAvailability()).
>>
>> That is not really suppose to happen. Does ra() do ok with that
>> file?
>
> It looked like it was working ok, and then I got about 40 lines of
> output that
> were completely blank except for the "<->" in the middle of the
> line. Then I
> got one line that looked normal except the IPs looked like MAC
> addresses:
>
> 19:56:36.429496 v 156 58:73:49:b7:61:35.192 <->
> 49:b7:61:35:0:4.153 22314297 5252598 CON
>
> Then about 40 more lines of all blank except for the "<->", then
> normal output
> again. Out of about 332k lines of output from ra, about 5200 of
> them were the
> all blank lines, so this happened more than once.
>
>
> --
> Mike Iglesias
> UCI Network Security Team Email: security at uci.edu
> University of California, Irvine phone: 949-824-6926
> Network & Academic Computing Services FAX: 949-824-2270
>
>
>
Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
More information about the argus
mailing list