Argus 3.0.2 unable to remember the direction of a connection (resolved by 3.0.3.22)
Cees
celzinga at gmail.com
Wed Feb 9 14:51:59 EST 2011
I can confirm argus-3.0.3.22 fixes the issue.
Thanks for the quick reply, should've checked with the latest dev version...
On Wed, Feb 9, 2011 at 8:39 PM, John Gerth <gerth at graphics.stanford.edu>wrote:
> On 2/9/2011 6:43 AM, Cees wrote:
> >
> > Hello list,
> >
> > I encountered a strange bug in Argus where Argus is unable to remember
> the direction of a connection.
> > At first the direction is correct, but half-way through the session Argus
> 'forgets' the direction.
> >
> > I managed to create a test case, see the attachments.
> >
> > correct.pcap contains a TCP session of 52 packets between 172.16.12.165
> port 1051 and 192.168.234.166 port 8080
> > test-case.pcap contains the same session, but with two additional packets
> on port 1058. In the original PCAP the packets were part of a complete
> > session, but these two packets are enough to confuse Argus.
> >
> This looks like a fixed bug as I get the behavior you want with the latest
> argus-3.0.3.22
>
> --
> John Gerth gerth at graphics.stanford.edu Gates 378 (650) 725-3273
> fax 723-0033
>
> ***********
> argus-3.0.3.22 $ sbin/argus -F /dev/null -r ~/win/test-case.pcap -w - |
> bin/ra -nnr -
> StartTime Flgs Proto SrcAddr Sport Dir
> DstAddr Dport SrcPkts DstPkts TotAppByte State NStrok
> Dur
> 06:55:05.196 e 6 172.16.12.165.1051 ->
> 192.168.234.166.8080 10 10 0 CON
> 1.278
> 06:55:10.283 e 6 192.168.234.166.8080 ?>
> 172.16.12.165.1058 1 0 0 CON
> 0.000
> 06:55:40.595 e 6 192.168.234.166.8080 <?
> 172.16.12.165.1058 0 1 0 CON
> 0.000
> 06:56:03.903 e 6 172.16.12.165.1051 ->
> 192.168.234.166.8080 2 2 0 CON
> 0.275
> 06:56:34.920 e 6 172.16.12.165.1051 ->
> 192.168.234.166.8080 2 2 0 CON
> 0.420
> 06:57:05.963 e r 6 172.16.12.165.1051 ->
> 192.168.234.166.8080 2 2 0 CON
> 0.436
> 06:57:37.007 e 6 172.16.12.165.1051 ->
> 192.168.234.166.8080 2 2 0 CON
> 0.452
> 06:58:08.055 e 6 172.16.12.165.1051 ->
> 192.168.234.166.8080 2 2 0 CON
> 0.244
> 06:58:39.115 e 6 172.16.12.165.1051 ->
> 192.168.234.166.8080 2 2 0 CON
> 0.243
> 06:59:10.154 e 6 172.16.12.165.1051 ->
> 192.168.234.166.8080 2 2 0 CON
> 0.264
> 06:59:41.291 e 6 172.16.12.165.1051 ->
> 192.168.234.166.8080 2 2 0 CON
> 0.296
> 11:35:07.440 man 0. 0
> 23. 1 54 12 9887296 STP 0.000
> argus-3.0.3.22 $ sbin/argus -F /dev/null -r ~/win/correct.pcap -w - |
> bin/ra -nnr -
> StartTime Flgs Proto SrcAddr Sport Dir
> DstAddr Dport SrcPkts DstPkts TotAppByte State NStrok
> Dur
> 06:55:05.196 e 6 172.16.12.165.1051 ->
> 192.168.234.166.8080 10 10 0 CON
> 1.278
> 06:56:03.903 e 6 172.16.12.165.1051 ->
> 192.168.234.166.8080 2 2 0 CON
> 0.275
> 06:56:34.920 e 6 172.16.12.165.1051 ->
> 192.168.234.166.8080 2 2 0 CON
> 0.420
> 06:57:05.963 e r 6 172.16.12.165.1051 ->
> 192.168.234.166.8080 2 2 0 CON
> 0.436
> 06:57:37.007 e 6 172.16.12.165.1051 ->
> 192.168.234.166.8080 2 2 0 CON
> 0.452
> 06:58:08.055 e 6 172.16.12.165.1051 ->
> 192.168.234.166.8080 2 2 0 CON
> 0.244
> 06:58:39.115 e 6 172.16.12.165.1051 ->
> 192.168.234.166.8080 2 2 0 CON
> 0.243
> 06:59:10.154 e 6 172.16.12.165.1051 ->
> 192.168.234.166.8080 2 2 0 CON
> 0.264
> 06:59:41.291 e 6 172.16.12.165.1051 ->
> 192.168.234.166.8080 2 2 0 CON
> 0.296
> 11:35:24.481 man 0. 0
> 30. 1 52 10 9885624 STP 0.000
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110209/2a82cf72/attachment.html>
More information about the argus
mailing list