Argus giving wrong bytes results ?
Mike Tancsa
mike at sentex.ca
Mon Jul 12 08:18:00 EDT 2010
Also just another datapoint, if I use ra from 3.0.3.14 to read an
argus file created by the older version of radium, it works.
/tmp/argus-clients-3.0.3.14/bin/ra -L0 -nr radium.arg -Zb -N 25 - port 9010
StartTime Flgs Proto SrcAddr Sport Dir
DstAddr Dport TotPkts TotBytes State
23:59:57.498489 e tcp 172.25.1.1.60183 ->
192.168.1.1.3.9010 9 816 FSPA_
23:59:51.468000
Ne tcp 172.25.1.1.59519 -> 192.168.1.1.3.9010
5 367 FSPA_
23:59:51.556000
Ne tcp 172.25.1.1.58054 -> 192.168.1.1.3.9010
5 403 FSPA_
23:59:57.736000
Ne tcp 172.25.1.1.60183 -> 192.168.1.1.3.9010
5 401 FSPA_
00:00:12.626558 e tcp 172.25.1.1.57736 ->
192.168.1.1.3.9010 10 878 FSPA_
00:00:16.698774 e tcp 172.25.1.1.55670 ->
192.168.1.1.3.9010 10 878 FSPA_
00:00:12.805000
Ne tcp 172.25.1.1.57736 -> 192.168.1.1.3.9010
5 403 FSPA_
00:00:16.913000
Ne tcp 172.25.1.1.55670 -> 192.168.1.1.3.9010
5 403 FSPA_
00:00:17.409000
Ne tcp 172.25.1.1.64095 -> 192.168.1.1.3.9010
5 373 FSPA_
00:00:17.709000
Ne tcp 172.25.1.1.61488 -> 192.168.1.1.3.9010
5 386 FSPA_
00:00:17.190421 e tcp 172.25.1.1.64095 ->
192.168.1.1.3.9010 10 820 FSPA_
00:00:17.490838 e tcp 172.25.1.1.61488 ->
192.168.1.1.3.9010 10 861 FSPA_
00:00:23.292488 e tcp 172.25.1.1.59905 ->
192.168.1.1.3.9010 10 877 FSPA_
00:00:27.742003 e tcp 172.25.1.1.52194 ->
192.168.1.1.3.9010 10 877 FSPA_
00:00:23.500000
Ne tcp 172.25.1.1.59905 -> 192.168.1.1.3.9010
5 402 FSPA_
00:00:25.332000
Ne tcp 172.25.1.1.64507 -> 192.168.1.1.4.9010
5 402 FSPA_
00:00:27.988000
Ne tcp 172.25.1.1.52194 -> 192.168.1.1.3.9010
5 402 FSPA_
At 08:05 AM 7/12/2010, Mike Tancsa wrote:
>At 04:49 PM 7/9/2010, Carter Bullard wrote:
>>Is that with argus-clients-3.0.3.14 ?
>
>Hi,
> I doubled checked, and yes
>
># pwd
>/tmp/argus-clients-3.0.3.14/bin
>
> ./ra -L0 -n -Zb -C 192.168.1.81:9995
> StartTime Flgs Proto SrcAddr Sport Dir
> DstAddr Dport TotPkts TotBytes State
> 08:00:25.421000
> Ne tcp 192.168.1.81.50249 -> 10.88.1.3.9010
> 36028797 1052069020 FSPA_
> 08:00:26.229000
> Ne tcp 192.168.1.81.57754 -> 10.88.1.3.9010
> 36028797 1059274779 FSPA_
> 08:00:27.025000
> Ne tcp 192.168.1.83.59773 -> 10.88.1.3.9010
> 36028797 9439826293 FSPA_
> 08:00:29.265000
> Ne tcp 192.168.1.81.51092 -> 10.88.1.3.9010
> 36028797 9367768699 FSPA_
> 08:00:30.137000
> Ne tcp 192.168.1.83.59523 -> 10.88.1.3.9010
> 36028797 9223653511 FSPA_
> 08:00:30.309000
> Ne tcp 192.168.1.81.54025 -> 10.88.1.3.9010
> 36028797 1059274779 FSPA_
> 08:00:30.377000
> Ne tcp 192.168.1.81.50366 -> 10.88.1.3.9010
> 36028797 1059274779 FSPA_
> 08:00:32.317000
> Ne tcp 192.168.1.81.62894 -> 10.88.1.4.9010
> 36028797 8431019977 FSPA_
> 08:00:33.173000
> Ne tcp 192.168.1.81.50927 -> 10.88.1.3.9010
> 36028797 7998674413 FSPA_
> 08:00:34.689000
> Ne tcp 192.168.1.81.58730 -> 10.88.1.3.9010
> 36028797 7998674413 FSPA_
> 08:00:35.853000
> Ne tcp 192.168.1.81.52157 -> 10.88.1.3.9010
> 36028797 9367768699 FSPA_
> 08:00:36.337000
> Ne tcp 192.168.1.81.62114 -> 10.88.1.4.9010
> 36028797 7998674413 FSPA_
> 08:00:36.697000
> Ne tcp 192.168.1.81.54555 -> 10.88.1.3.9010
> 36028797 9367768699 FSPA_
> 08:00:25.135000
> Ne udp 192.168.1.118.123 -> 192.168.1.82.123
> 72057594 5476377146 INT
> 08:00:39.807000
> Ne tcp 192.168.1.81.58689 -> 10.88.1.3.9010
> 36028797 8286904789 FSPA_
> 08:00:42.039000
> Ne tcp 192.168.1.81.62486 -> 10.88.1.3.9010
> 36028797 8358962383 FSPA_
> 08:00:42.843000
> Ne tcp 192.168.1.81.62241 -> 10.88.1.3.9010
> 36028797 8431019977 FSPA_
> 08:00:43.763000
> Ne tcp 192.168.1.81.55626 -> 10.88.1.3.9010
> 43234556 1124126614 FSPA_
> 08:00:44.263000
> Ne tcp 192.168.1.81.64527 -> 10.88.1.3.9010
> 36028797 7998674413 FSPA_
> 08:00:45.307000
> Ne tcp 192.168.1.81.55953 -> 10.88.1.4.9010
> 36028797 1059274779 FSPA_
> 08:00:52.059000
> Ne tcp 192.168.1.81.59595 -> 10.88.1.3.9010
> 36028797 7998674413 FSPA_
> 08:00:54.155000
> Ne tcp 192.168.1.83.54808 -> 10.88.1.3.9010
> 36028797 9223653511 FSPA_
> 07:59:51.895000
> Ne tcp 192.168.1.83.49982 -> 192.168.1.82.23
> 28147497 1096429476 SPA_
> 08:00:57.391000
> Ne tcp 192.168.1.81.59204 -> 10.88.1.3.9010
> 36028797 8070732007 FSPA_
> 08:00:57.907000
> Ne tcp 192.168.1.81.57558 -> 10.88.1.3.9010
> 36028797 9367768699 FSPA_
> 08:00:58.863000
> Ne tcp 192.168.1.81.52192 -> 10.88.1.3.9010
> 36028797 9223653511 FSPA_
> 08:00:59.011000
> Ne tcp 192.168.1.81.51943 -> 10.88.1.3.9010
> 36028797 8431019977 FSPA_
> 08:01:01.663000
> Ne tcp 192.168.1.81.60079 -> 10.88.1.3.9010
> 36028797 1059274779 FSPA_
> 08:01:04.122000
> Ne tcp 192.168.1.81.62693 -> 10.88.1.3.9010
> 36028797 1044863261 FSPA_
> 08:01:09.902000
> Ne tcp 192.168.1.81.51231 -> 10.88.1.3.9010
> 36028797 8431019977 FSPA_
> 08:01:10.106000
> Ne tcp 192.168.1.81.52592 -> 10.88.1.3.9010
> 36028797 1044863261 FSPA_
> 08:01:12.194000
> Ne tcp 192.168.1.81.62696 -> 10.88.1.3.9010
> 36028797 7133983284 FSPA_
> 08:01:16.270000
> Ne tcp 192.168.1.81.59954 -> 10.88.1.3.9010
> 36028797 7206040878 FSPA_
> 08:01:19.194000
> Ne tcp 192.168.1.81.63059 -> 10.88.1.3.9010
> 36028797 8431019977 FSPA_
> 08:01:19.334000
> Ne tcp 192.168.1.81.56706 -> 10.88.1.3.9010
> 36028797 1059274779 FSPA_
> 08:01:20.574000
> Ne tcp 192.168.1.81.57206 -> 10.88.1.3.9010
> 36028797 9367768699 FSPA_
>
>
>>Carter
>>
>>On Jul 9, 2010, at 3:28 PM, Mike Tancsa wrote:
>>
>> > At 03:12 PM 7/9/2010, Carter Bullard wrote:
>> >
>> >> Can you do me a favor? Could you have ra() collect enough of
>> the records,
>> >> rather than the current radium() -> racluster() to see if the
>> bug is in writing
>> >> the records out or reading them in. Also, if you could just
>> have ra() print the
>> >> netflow records rather than writing them to disk, may indicate
>> that it doesn't
>> >> have an error in converting the netflow to argus, but writing
>> the records to
>> >
>> >
>> > Hi Carter,
>> > It shows up quite quickly this way (IP addresses changed)
>> >
>> > # ra -L0 -n -Zb -C 192.168.1.81:9995
>> > StartTime Flgs Proto SrcAddr Sport Dir
>> DstAddr Dport TotPkts TotBytes State
>> > 15:25:49.846000
>> Ne tcp 192.168.1.81.53812 -> 10.8.9.1.9010
>> 36028797 1059274779 FSPA_
>> > 15:25:37.998000
>> Ne icmp 192.168.1.81.771 -> 192.168.1.82.0
>> 72057594 4035225266 URP
>> > 15:25:51.566000
>> Ne tcp 192.168.1.81.57886 -> 10.8.9.1.9010
>> 36028797 9367768699 FSPA_
>> > 15:25:52.926000
>> Ne tcp 192.168.1.81.50378 -> 10.8.9.1.9010
>> 36028797 7998674413 FSPA_
>> > 15:25:53.662000
>> Ne tcp 192.168.1.81.50826 -> 10.8.9.1.9010
>> 36028797 7998674413 FSPA_
>> > 15:25:55.966000
>> Ne tcp 192.168.1.81.58986 -> 10.8.9.1.9010
>> 36028797 1052069020 FSPA_
>> > 15:25:56.282000
>> Ne tcp 192.168.1.81.57899 -> 10.8.9.1.9010
>> 36028797 1044863261 FSPA_
>> > 15:25:56.914000
>> Ne tcp 192.168.1.81.61121 -> 10.8.9.1.9010
>> 36028797 1059274779 FSPA_
>> > 15:25:59.270000
>> Ne tcp 192.168.1.81.53056 -> 10.8.9.1.9010
>> 36028797 1052069020 FSPA_
>> > 15:25:58.546000
>> Ne tcp 192.168.1.81.62492 -> 10.8.9.1.9010
>> 36028797 8431019977 FSPA_
>> > 15:25:59.814000
>> Ne tcp 192.168.1.81.54551 -> 10.8.9.1.9010
>> 36028797 1059274779 FSPA_
>> > 15:26:00.878000
>> Ne tcp 192.168.1.81.56269 -> 10.8.9.1.9010
>> 36028797 1059274779 FSPA_
>> >
>> >
>> >
>> > ---Mike
>> >
>> >
>> >
>> >
>>
More information about the argus
mailing list