A bug and a question

Carter Bullard carter at qosient.com
Fri Feb 11 15:39:39 EST 2011 

Hey Rafael,
Yes, that is a bug.  I changed it to this line:

                  dur = ((nslt < tnsst) ? (tnsst - nslt) : (tnslt < nsst) ? (nsst - tnslt) : 0.0));

Does this work for you?
Carter

On Feb 11, 2011, at 9:49 AM, Rafael Barbosa wrote:

> I managed to make a small patch to racluster() to some my question. My impression was that racluster was comparing the value "idle" (read from racluster.conf) with the duration of the flow, instead of calculating the flow idle time. This is what I've done:
> 
> --- clients/racluster.c.old	2011-02-11 15:31:31.000000000 +0100
> +++ clients/racluster.c	2011-02-11 15:32:55.000000000 +0100
> @@ -545,7 +545,7 @@
>                    RaSendArgusRecord(tns);
>                    ArgusZeroRecord(tns);
>                 } else {
> -                  dur = ((tnslt > nslt) ? tnslt : nslt) - ((nsst < tnsst) ? nsst : tnsst);
> +                  dur = ((nsst > tnsst) ? nsst : tnsst) - ((tnslt < nslt) ? tnslt : nslt);
>                    if (agg->idleint && (dur >= agg->idleint)) {
>                       RaSendArgusRecord(tns);
>                       ArgusZeroRecord(tns);
> 
> I did not do intensive testing, but not it seems that racluster() is behaving as I expected.
> 
> Regarding the bug, I still don't know why version 3.0.3.19 does not report the start time correctly though.
> 
> Best regards,
> Rafael Barbosa
> http://www.vf.utwente.nl/~barbosarr/
> 
> 
> 
> On Fri, Feb 11, 2011 at 10:50 AM, Rafael Barbosa <rrbarbosa at gmail.com> wrote:
> Hi all,
> 
> First my question: I've been playing around with racluster.conf to get a simple aggregation based on a time out period. What I want is to generate one flow record (5-tuple) every time a flow is idle (no traffic) for 5minutes or more. For that I used the following racluster.conf:
> 
> filter="" status=0 idle=300
> 
> In my test file (sample.pcap/sample.argus, attached) I have one single flow between two hosts that spans over almost 50 min. With the conf file above I expected to have only one record, as the flow is never idle for more that 5 min. However I have 10 records as output, never bigger than 300 seconds. 
> Is that the expected behavior? If so, how can I generate the output I want with argus?
> 
> 
> Now the bug:
> When using ra() version 3.0.3.19 to read sample.argus, the last record is displayed *without* a start time. ra() version 3.0.2 displays the start time correctly.
> When using clients version 3.0.3.19:
> $ racluster -r sample.argus -w sample.racluster
> $ ra  -r  sample.racluster
> ra[22170]: 10:47:58.899768 ArgusGenerateRecord: time format incorrect:388356
> 
> Again version 3.0.2, does not have this problem
> 
> Rafael Barbosa
> http://www.vf.utwente.nl/~barbosarr/
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110211/74fd36ed/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110211/74fd36ed/attachment.bin>

More information about the argus mailing list