Argus giving wrong bytes results ?
Mike Tancsa
mike at sentex.ca
Mon Jul 12 08:05:48 EDT 2010
At 04:49 PM 7/9/2010, Carter Bullard wrote:
>Is that with argus-clients-3.0.3.14 ?
Hi,
I doubled checked, and yes
# pwd
/tmp/argus-clients-3.0.3.14/bin
./ra -L0 -n -Zb -C 192.168.1.81:9995
StartTime Flgs Proto SrcAddr Sport Dir
DstAddr Dport TotPkts TotBytes State
08:00:25.421000
Ne tcp 192.168.1.81.50249 -> 10.88.1.3.9010
36028797 1052069020 FSPA_
08:00:26.229000
Ne tcp 192.168.1.81.57754 -> 10.88.1.3.9010
36028797 1059274779 FSPA_
08:00:27.025000
Ne tcp 192.168.1.83.59773 -> 10.88.1.3.9010
36028797 9439826293 FSPA_
08:00:29.265000
Ne tcp 192.168.1.81.51092 -> 10.88.1.3.9010
36028797 9367768699 FSPA_
08:00:30.137000
Ne tcp 192.168.1.83.59523 -> 10.88.1.3.9010
36028797 9223653511 FSPA_
08:00:30.309000
Ne tcp 192.168.1.81.54025 -> 10.88.1.3.9010
36028797 1059274779 FSPA_
08:00:30.377000
Ne tcp 192.168.1.81.50366 -> 10.88.1.3.9010
36028797 1059274779 FSPA_
08:00:32.317000
Ne tcp 192.168.1.81.62894 -> 10.88.1.4.9010
36028797 8431019977 FSPA_
08:00:33.173000
Ne tcp 192.168.1.81.50927 -> 10.88.1.3.9010
36028797 7998674413 FSPA_
08:00:34.689000
Ne tcp 192.168.1.81.58730 -> 10.88.1.3.9010
36028797 7998674413 FSPA_
08:00:35.853000
Ne tcp 192.168.1.81.52157 -> 10.88.1.3.9010
36028797 9367768699 FSPA_
08:00:36.337000
Ne tcp 192.168.1.81.62114 -> 10.88.1.4.9010
36028797 7998674413 FSPA_
08:00:36.697000
Ne tcp 192.168.1.81.54555 -> 10.88.1.3.9010
36028797 9367768699 FSPA_
08:00:25.135000
Ne udp 192.168.1.118.123 -> 192.168.1.82.123
72057594 5476377146 INT
08:00:39.807000
Ne tcp 192.168.1.81.58689 -> 10.88.1.3.9010
36028797 8286904789 FSPA_
08:00:42.039000
Ne tcp 192.168.1.81.62486 -> 10.88.1.3.9010
36028797 8358962383 FSPA_
08:00:42.843000
Ne tcp 192.168.1.81.62241 -> 10.88.1.3.9010
36028797 8431019977 FSPA_
08:00:43.763000
Ne tcp 192.168.1.81.55626 -> 10.88.1.3.9010
43234556 1124126614 FSPA_
08:00:44.263000
Ne tcp 192.168.1.81.64527 -> 10.88.1.3.9010
36028797 7998674413 FSPA_
08:00:45.307000
Ne tcp 192.168.1.81.55953 -> 10.88.1.4.9010
36028797 1059274779 FSPA_
08:00:52.059000
Ne tcp 192.168.1.81.59595 -> 10.88.1.3.9010
36028797 7998674413 FSPA_
08:00:54.155000
Ne tcp 192.168.1.83.54808 -> 10.88.1.3.9010
36028797 9223653511 FSPA_
07:59:51.895000
Ne tcp 192.168.1.83.49982 -> 192.168.1.82.23
28147497 1096429476 SPA_
08:00:57.391000
Ne tcp 192.168.1.81.59204 -> 10.88.1.3.9010
36028797 8070732007 FSPA_
08:00:57.907000
Ne tcp 192.168.1.81.57558 -> 10.88.1.3.9010
36028797 9367768699 FSPA_
08:00:58.863000
Ne tcp 192.168.1.81.52192 -> 10.88.1.3.9010
36028797 9223653511 FSPA_
08:00:59.011000
Ne tcp 192.168.1.81.51943 -> 10.88.1.3.9010
36028797 8431019977 FSPA_
08:01:01.663000
Ne tcp 192.168.1.81.60079 -> 10.88.1.3.9010
36028797 1059274779 FSPA_
08:01:04.122000
Ne tcp 192.168.1.81.62693 -> 10.88.1.3.9010
36028797 1044863261 FSPA_
08:01:09.902000
Ne tcp 192.168.1.81.51231 -> 10.88.1.3.9010
36028797 8431019977 FSPA_
08:01:10.106000
Ne tcp 192.168.1.81.52592 -> 10.88.1.3.9010
36028797 1044863261 FSPA_
08:01:12.194000
Ne tcp 192.168.1.81.62696 -> 10.88.1.3.9010
36028797 7133983284 FSPA_
08:01:16.270000
Ne tcp 192.168.1.81.59954 -> 10.88.1.3.9010
36028797 7206040878 FSPA_
08:01:19.194000
Ne tcp 192.168.1.81.63059 -> 10.88.1.3.9010
36028797 8431019977 FSPA_
08:01:19.334000
Ne tcp 192.168.1.81.56706 -> 10.88.1.3.9010
36028797 1059274779 FSPA_
08:01:20.574000
Ne tcp 192.168.1.81.57206 -> 10.88.1.3.9010
36028797 9367768699 FSPA_
>Carter
>
>On Jul 9, 2010, at 3:28 PM, Mike Tancsa wrote:
>
> > At 03:12 PM 7/9/2010, Carter Bullard wrote:
> >
> >> Can you do me a favor? Could you have ra() collect enough of the records,
> >> rather than the current radium() -> racluster() to see if the
> bug is in writing
> >> the records out or reading them in. Also, if you could just
> have ra() print the
> >> netflow records rather than writing them to disk, may indicate
> that it doesn't
> >> have an error in converting the netflow to argus, but writing
> the records to
> >
> >
> > Hi Carter,
> > It shows up quite quickly this way (IP addresses changed)
> >
> > # ra -L0 -n -Zb -C 192.168.1.81:9995
> > StartTime Flgs Proto SrcAddr Sport Dir
> DstAddr Dport TotPkts TotBytes State
> > 15:25:49.846000
> Ne tcp 192.168.1.81.53812 -> 10.8.9.1.9010
> 36028797 1059274779 FSPA_
> > 15:25:37.998000
> Ne icmp 192.168.1.81.771 -> 192.168.1.82.0
> 72057594 4035225266 URP
> > 15:25:51.566000
> Ne tcp 192.168.1.81.57886 -> 10.8.9.1.9010
> 36028797 9367768699 FSPA_
> > 15:25:52.926000
> Ne tcp 192.168.1.81.50378 -> 10.8.9.1.9010
> 36028797 7998674413 FSPA_
> > 15:25:53.662000
> Ne tcp 192.168.1.81.50826 -> 10.8.9.1.9010
> 36028797 7998674413 FSPA_
> > 15:25:55.966000
> Ne tcp 192.168.1.81.58986 -> 10.8.9.1.9010
> 36028797 1052069020 FSPA_
> > 15:25:56.282000
> Ne tcp 192.168.1.81.57899 -> 10.8.9.1.9010
> 36028797 1044863261 FSPA_
> > 15:25:56.914000
> Ne tcp 192.168.1.81.61121 -> 10.8.9.1.9010
> 36028797 1059274779 FSPA_
> > 15:25:59.270000
> Ne tcp 192.168.1.81.53056 -> 10.8.9.1.9010
> 36028797 1052069020 FSPA_
> > 15:25:58.546000
> Ne tcp 192.168.1.81.62492 -> 10.8.9.1.9010
> 36028797 8431019977 FSPA_
> > 15:25:59.814000
> Ne tcp 192.168.1.81.54551 -> 10.8.9.1.9010
> 36028797 1059274779 FSPA_
> > 15:26:00.878000
> Ne tcp 192.168.1.81.56269 -> 10.8.9.1.9010
> 36028797 1059274779 FSPA_
> >
> >
> >
> > ---Mike
> >
> >
> >
> >
>
>
More information about the argus
mailing list