A bug and a question

[Carter Bullard]

Hey Rafael,
I uploaded argus-clients-3.0.3.22 last week.  With this version on my Mac OS X 64-bit machine,
I don't see the bug you are seeing.  Could you give the latest a go to see if you still see the
vanishing timestamp problem?

Carter

On Feb 11, 2011, at 4:50 AM, Rafael Barbosa wrote:

> Hi all,
> 
> First my question: I've been playing around with racluster.conf to get a simple aggregation based on a time out period. What I want is to generate one flow record (5-tuple) every time a flow is idle (no traffic) for 5minutes or more. For that I used the following racluster.conf:
> 
> filter="" status=0 idle=300
> 
> In my test file (sample.pcap/sample.argus, attached) I have one single flow between two hosts that spans over almost 50 min. With the conf file above I expected to have only one record, as the flow is never idle for more that 5 min. However I have 10 records as output, never bigger than 300 seconds. 
> Is that the expected behavior? If so, how can I generate the output I want with argus?
> 
> 
> Now the bug:
> When using ra() version 3.0.3.19 to read sample.argus, the last record is displayed *without* a start time. ra() version 3.0.2 displays the start time correctly.
> When using clients version 3.0.3.19:
> $ racluster -r sample.argus -w sample.racluster
> $ ra  -r  sample.racluster
> ra[22170]: 10:47:58.899768 ArgusGenerateRecord: time format incorrect:388356
> 
> Again version 3.0.2, does not have this problem
> 
> Rafael Barbosa
> http://www.vf.utwente.nl/~barbosarr/
> 
> <racluster.conf><sample.argus><sample.pcap>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110211/93a7b578/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110211/93a7b578/attachment.bin>