radium providing random user data

Jason Carr jcarr at andrew.cmu.edu
Wed Nov 18 16:22:52 EST 2009


Hate to reply to my own email, but using argus-clients-3.0.2.beta.11's radium actually contains the proper data in the suser/duser fields.

Any thoughts as to what changed to make this happen?

- Jason

On Nov 16, 2009, at 1:34 PM, Jason Carr wrote:

> Hi Carter,
> 
> All flows are non-plaintext flows, which super confusing, even though if I connect directly there is plenty of plaintext flows.
> 
> Thanks,
> 
> Jason
> 
> 
> On Nov 16, 2009, at 1:16 PM, Carter Bullard wrote:
> 
>> Hey Jason,
>> With each status record, we capture another "whatever number of bytes" of
>> user data.  If argus generates 5 status records for a flow, you'll get 5 sets of
>> user data being captured.   You maybe seeing user data from the middle
>> of a session?
>> 
>> Carter
>> 
>> On Nov 16, 2009, at 1:11 PM, Jason Carr wrote:
>> 
>>> Hello everyone,
>>> 
>>> I'm running argus-3.0.2 server and client.  The server is running on a ppc architecture machine, specifically a Bivio box.  The client portion is running on an amd64 machine.
>>> 
>>> I use radium on the amd64 box to connect and multiplex multiple argii running on my Bivio box and it dumps the file onto disk.  Reading this file via 'ra -r filename -s +suser:128 -s +duser:128' provides all of the normal data, such as time, IPs, ports, etc.  The user data seems to be completely off.  Oddly enough connecting directly to the argii with ra on the amd64 system that radium is running on, real data is displayed.  ra on the ppc machine displays real data as well.
>>> 
>>> Any thoughts as to why this is happening?
>>> 
>>> Thanks,
>>> 
>>> Jason
>>> 
>>> --
>>> Jason Carr
>>> Information Security Engineer
>>> Information Security Office
>>> 
>>> 
>> 
> 
> 




More information about the argus mailing list