Argus giving wrong bytes results ?
Mike Tancsa
mike at sentex.ca
Mon Jul 12 11:25:54 EDT 2010
At 10:36 AM 7/12/2010, Carter Bullard wrote:
>If you were to run
> ./ra -C 192.168.1.81:9995 -w - | ./ra -L0 -n -Zb
>
>I suspect that you will get a different output?
>Thanks again!!!!!!!!!
Hi Carter,
Somewhat different in that the correct packets seem to be in
there, but still with errors
11:20:21.170000
Ne tcp 192.168.1.81.59886 -> 10.8.0.1.9010
5 386 FSPA_
11:20:22.674000
Ne tcp 192.168.1.81.50352 -> 10.8.0.1.9010
36028797 7998674413 FSPA_
11:20:24.090000
Ne tcp 192.168.1.81.60034 -> 10.8.0.1.9010
5 403 FSPA_
11:20:24.874000
Ne tcp 192.168.1.81.52558 -> 10.8.0.1.9010
5 403 FSPA_
11:20:24.918000
Ne tcp 192.168.1.81.60853 -> 10.8.0.4.9010
5 402 FSPA_
11:20:25.798000
Ne tcp 192.168.1.81.55631 -> 10.8.0.1.9010
5 403 FSPA_
11:20:26.550000
Ne tcp 192.168.1.81.61610 -> 10.8.0.1.9010
36028797 8358962383 FSPA_
11:20:26.854000
Ne tcp 192.168.1.81.64095 -> 10.8.0.1.9010
36028797 5116370651 FSPA_
11:20:26.418000
Ne tcp 192.168.1.81.58063 -> 10.8.0.1.9010
36028797 8431019977 FSPA_
11:20:27.230000
Ne tcp 192.168.1.81.51870 -> 10.8.0.1.9010
36028797 5116370651 FSPA_
11:20:29.018000
Ne tcp 192.168.1.81.61294 -> 10.8.0.1.9010
5 403 FSPA_
11:20:29.326000
Ne tcp 192.168.1.81.62072 -> 10.8.0.1.9010
36028797 5116370651 FSPA_
11:20:29.766000
Ne tcp 192.168.1.81.56880 -> 10.8.0.1.9010
36028797 5116370651 FSPA_
11:20:31.238000
Ne tcp 192.168.1.81.64633 -> 10.8.0.1.9010
5 403 FSPA_
11:20:31.470000
Ne tcp 192.168.1.81.55581 -> 10.8.0.1.9010
36028797 8358962383 FSPA_
11:20:37.689000
Ne tcp 192.168.1.83.50317 -> 10.8.0.1.9010
5 419 FSPA_
11:20:38.409000
Ne tcp 192.168.1.81.60864 -> 10.8.0.1.9010
5 403 FSPA_
11:20:39.589000
Ne tcp 192.168.1.81.58058 -> 10.8.0.1.9010
5 403 FSPA_
11:20:39.633000
Ne tcp 192.168.1.81.62893 -> 10.8.0.1.9010
5 403 FSPA_
11:20:27.105000
Ne udp 192.168.1.118.123 -> 192.168.1.82.123
72057594 5476377146 INT
11:20:40.113000
Ne tcp 192.168.1.81.50166 -> 10.8.0.1.9010
5 403 FSPA_
11:20:46.589000
Ne tcp 192.168.1.81.63839 -> 10.8.0.1.9010
36028797 8286904789 FSPA_
---Mike
>Carter
>
>On Jul 12, 2010, at 8:18 AM, Mike Tancsa wrote:
>
> >
> > Also just another datapoint, if I use ra from 3.0.3.14 to read an
> argus file created by the older version of radium, it works.
> >
> > /tmp/argus-clients-3.0.3.14/bin/ra -L0 -nr radium.arg -Zb -N 25 - port 9010
> > StartTime Flgs Proto SrcAddr Sport Dir
> DstAddr Dport TotPkts TotBytes State
> > 23:59:57.498489 e tcp 172.25.1.1.60183 ->
> 192.168.1.1.3.9010 9 816 FSPA_
> > 23:59:51.468000
> Ne tcp 172.25.1.1.59519 -> 192.168.1.1.3.9010
> 5 367 FSPA_
> > 23:59:51.556000
> Ne tcp 172.25.1.1.58054 -> 192.168.1.1.3.9010
> 5 403 FSPA_
> > 23:59:57.736000
> Ne tcp 172.25.1.1.60183 -> 192.168.1.1.3.9010
> 5 401 FSPA_
> > 00:00:12.626558 e tcp 172.25.1.1.57736 ->
> 192.168.1.1.3.9010 10 878 FSPA_
> > 00:00:16.698774 e tcp 172.25.1.1.55670 ->
> 192.168.1.1.3.9010 10 878 FSPA_
> > 00:00:12.805000
> Ne tcp 172.25.1.1.57736 -> 192.168.1.1.3.9010
> 5 403 FSPA_
> > 00:00:16.913000
> Ne tcp 172.25.1.1.55670 -> 192.168.1.1.3.9010
> 5 403 FSPA_
> > 00:00:17.409000
> Ne tcp 172.25.1.1.64095 -> 192.168.1.1.3.9010
> 5 373 FSPA_
> > 00:00:17.709000
> Ne tcp 172.25.1.1.61488 -> 192.168.1.1.3.9010
> 5 386 FSPA_
> > 00:00:17.190421 e tcp 172.25.1.1.64095 ->
> 192.168.1.1.3.9010 10 820 FSPA_
> > 00:00:17.490838 e tcp 172.25.1.1.61488 ->
> 192.168.1.1.3.9010 10 861 FSPA_
> > 00:00:23.292488 e tcp 172.25.1.1.59905 ->
> 192.168.1.1.3.9010 10 877 FSPA_
> > 00:00:27.742003 e tcp 172.25.1.1.52194 ->
> 192.168.1.1.3.9010 10 877 FSPA_
> > 00:00:23.500000
> Ne tcp 172.25.1.1.59905 -> 192.168.1.1.3.9010
> 5 402 FSPA_
> > 00:00:25.332000
> Ne tcp 172.25.1.1.64507 -> 192.168.1.1.4.9010
> 5 402 FSPA_
> > 00:00:27.988000
> Ne tcp 172.25.1.1.52194 -> 192.168.1.1.3.9010
> 5 402 FSPA_
> >
> > At 08:05 AM 7/12/2010, Mike Tancsa wrote:
> >> At 04:49 PM 7/9/2010, Carter Bullard wrote:
> >>> Is that with argus-clients-3.0.3.14 ?
> >>
> >> Hi,
> >> I doubled checked, and yes
> >>
> >> # pwd
> >> /tmp/argus-clients-3.0.3.14/bin
> >>
> >> ./ra -L0 -n -Zb -C 192.168.1.81:9995
> >> StartTime Flgs Proto SrcAddr Sport Dir
> DstAddr Dport TotPkts TotBytes State
> >> 08:00:25.421000
> Ne tcp 192.168.1.81.50249 -> 10.88.1.3.9010
> 36028797 1052069020 FSPA_
> >> 08:00:26.229000
> Ne tcp 192.168.1.81.57754 -> 10.88.1.3.9010
> 36028797 1059274779 FSPA_
> >> 08:00:27.025000
> Ne tcp 192.168.1.83.59773 -> 10.88.1.3.9010
> 36028797 9439826293 FSPA_
> >> 08:00:29.265000
> Ne tcp 192.168.1.81.51092 -> 10.88.1.3.9010
> 36028797 9367768699 FSPA_
> >> 08:00:30.137000
> Ne tcp 192.168.1.83.59523 -> 10.88.1.3.9010
> 36028797 9223653511 FSPA_
> >> 08:00:30.309000
> Ne tcp 192.168.1.81.54025 -> 10.88.1.3.9010
> 36028797 1059274779 FSPA_
> >> 08:00:30.377000
> Ne tcp 192.168.1.81.50366 -> 10.88.1.3.9010
> 36028797 1059274779 FSPA_
> >> 08:00:32.317000
> Ne tcp 192.168.1.81.62894 -> 10.88.1.4.9010
> 36028797 8431019977 FSPA_
> >> 08:00:33.173000
> Ne tcp 192.168.1.81.50927 -> 10.88.1.3.9010
> 36028797 7998674413 FSPA_
> >> 08:00:34.689000
> Ne tcp 192.168.1.81.58730 -> 10.88.1.3.9010
> 36028797 7998674413 FSPA_
> >> 08:00:35.853000
> Ne tcp 192.168.1.81.52157 -> 10.88.1.3.9010
> 36028797 9367768699 FSPA_
> >> 08:00:36.337000
> Ne tcp 192.168.1.81.62114 -> 10.88.1.4.9010
> 36028797 7998674413 FSPA_
> >> 08:00:36.697000
> Ne tcp 192.168.1.81.54555 -> 10.88.1.3.9010
> 36028797 9367768699 FSPA_
> >> 08:00:25.135000
> Ne udp 192.168.1.118.123 -> 192.168.1.82.123
> 72057594 5476377146 INT
> >> 08:00:39.807000
> Ne tcp 192.168.1.81.58689 -> 10.88.1.3.9010
> 36028797 8286904789 FSPA_
> >> 08:00:42.039000
> Ne tcp 192.168.1.81.62486 -> 10.88.1.3.9010
> 36028797 8358962383 FSPA_
> >> 08:00:42.843000
> Ne tcp 192.168.1.81.62241 -> 10.88.1.3.9010
> 36028797 8431019977 FSPA_
> >> 08:00:43.763000
> Ne tcp 192.168.1.81.55626 -> 10.88.1.3.9010
> 43234556 1124126614 FSPA_
> >> 08:00:44.263000
> Ne tcp 192.168.1.81.64527 -> 10.88.1.3.9010
> 36028797 7998674413 FSPA_
> >> 08:00:45.307000
> Ne tcp 192.168.1.81.55953 -> 10.88.1.4.9010
> 36028797 1059274779 FSPA_
> >> 08:00:52.059000
> Ne tcp 192.168.1.81.59595 -> 10.88.1.3.9010
> 36028797 7998674413 FSPA_
> >> 08:00:54.155000
> Ne tcp 192.168.1.83.54808 -> 10.88.1.3.9010
> 36028797 9223653511 FSPA_
> >> 07:59:51.895000
> Ne tcp 192.168.1.83.49982 -> 192.168.1.82.23
> 28147497 1096429476 SPA_
> >> 08:00:57.391000
> Ne tcp 192.168.1.81.59204 -> 10.88.1.3.9010
> 36028797 8070732007 FSPA_
> >> 08:00:57.907000
> Ne tcp 192.168.1.81.57558 -> 10.88.1.3.9010
> 36028797 9367768699 FSPA_
> >> 08:00:58.863000
> Ne tcp 192.168.1.81.52192 -> 10.88.1.3.9010
> 36028797 9223653511 FSPA_
> >> 08:00:59.011000
> Ne tcp 192.168.1.81.51943 -> 10.88.1.3.9010
> 36028797 8431019977 FSPA_
> >> 08:01:01.663000
> Ne tcp 192.168.1.81.60079 -> 10.88.1.3.9010
> 36028797 1059274779 FSPA_
> >> 08:01:04.122000
> Ne tcp 192.168.1.81.62693 -> 10.88.1.3.9010
> 36028797 1044863261 FSPA_
> >> 08:01:09.902000
> Ne tcp 192.168.1.81.51231 -> 10.88.1.3.9010
> 36028797 8431019977 FSPA_
> >> 08:01:10.106000
> Ne tcp 192.168.1.81.52592 -> 10.88.1.3.9010
> 36028797 1044863261 FSPA_
> >> 08:01:12.194000
> Ne tcp 192.168.1.81.62696 -> 10.88.1.3.9010
> 36028797 7133983284 FSPA_
> >> 08:01:16.270000
> Ne tcp 192.168.1.81.59954 -> 10.88.1.3.9010
> 36028797 7206040878 FSPA_
> >> 08:01:19.194000
> Ne tcp 192.168.1.81.63059 -> 10.88.1.3.9010
> 36028797 8431019977 FSPA_
> >> 08:01:19.334000
> Ne tcp 192.168.1.81.56706 -> 10.88.1.3.9010
> 36028797 1059274779 FSPA_
> >> 08:01:20.574000
> Ne tcp 192.168.1.81.57206 -> 10.88.1.3.9010
> 36028797 9367768699 FSPA_
> >>
> >>
> >>> Carter
> >>>
> >>> On Jul 9, 2010, at 3:28 PM, Mike Tancsa wrote:
> >>>
> >>> > At 03:12 PM 7/9/2010, Carter Bullard wrote:
> >>> >
> >>> >> Can you do me a favor? Could you have ra() collect enough
> of the records,
> >>> >> rather than the current radium() -> racluster() to see if
> the bug is in writing
> >>> >> the records out or reading them in. Also, if you could just
> have ra() print the
> >>> >> netflow records rather than writing them to disk, may
> indicate that it doesn't
> >>> >> have an error in converting the netflow to argus, but
> writing the records to
> >>> >
> >>> >
> >>> > Hi Carter,
> >>> > It shows up quite quickly this way (IP addresses changed)
> >>> >
> >>> > # ra -L0 -n -Zb -C 192.168.1.81:9995
> >>> > StartTime Flgs Proto SrcAddr Sport
> Dir DstAddr Dport TotPkts TotBytes State
> >>> > 15:25:49.846000
> Ne tcp 192.168.1.81.53812 -> 10.8.9.1.9010
> 36028797 1059274779 FSPA_
> >>> > 15:25:37.998000
> Ne icmp 192.168.1.81.771 -> 192.168.1.82.0
> 72057594 4035225266 URP
> >>> > 15:25:51.566000
> Ne tcp 192.168.1.81.57886 -> 10.8.9.1.9010
> 36028797 9367768699 FSPA_
> >>> > 15:25:52.926000
> Ne tcp 192.168.1.81.50378 -> 10.8.9.1.9010
> 36028797 7998674413 FSPA_
> >>> > 15:25:53.662000
> Ne tcp 192.168.1.81.50826 -> 10.8.9.1.9010
> 36028797 7998674413 FSPA_
> >>> > 15:25:55.966000
> Ne tcp 192.168.1.81.58986 -> 10.8.9.1.9010
> 36028797 1052069020 FSPA_
> >>> > 15:25:56.282000
> Ne tcp 192.168.1.81.57899 -> 10.8.9.1.9010
> 36028797 1044863261 FSPA_
> >>> > 15:25:56.914000
> Ne tcp 192.168.1.81.61121 -> 10.8.9.1.9010
> 36028797 1059274779 FSPA_
> >>> > 15:25:59.270000
> Ne tcp 192.168.1.81.53056 -> 10.8.9.1.9010
> 36028797 1052069020 FSPA_
> >>> > 15:25:58.546000
> Ne tcp 192.168.1.81.62492 -> 10.8.9.1.9010
> 36028797 8431019977 FSPA_
> >>> > 15:25:59.814000
> Ne tcp 192.168.1.81.54551 -> 10.8.9.1.9010
> 36028797 1059274779 FSPA_
> >>> > 15:26:00.878000
> Ne tcp 192.168.1.81.56269 -> 10.8.9.1.9010
> 36028797 1059274779 FSPA_
> >>> >
> >>> >
> >>> >
> >>> > ---Mike
> >>> >
> >>> >
> >>> >
> >>> >
> >>>
>
>
More information about the argus
mailing list