A bug and a question

Rafael Barbosa rrbarbosa at gmail.com
Mon Feb 14 04:32:03 EST 2011 

I confirm that version 3.0.3.22 solves the vanishing timestamp problem in
this test.

Your patch for the idle timestamp seems to be working in all my tests.
However there is a typo on your code, one extra parenthesis. This is the
correct one:

dur = ((nslt < tnsst) ? (tnsst - nslt) : (tnslt < nsst) ? (nsst - tnslt) :
0.0);



Rafael Barbosa
http://www.vf.utwente.nl/~barbosarr/



On Fri, Feb 11, 2011 at 9:58 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Rafael,
> I uploaded argus-clients-3.0.3.22 last week.  With this version on my Mac
> OS X 64-bit machine,
> I don't see the bug you are seeing.  Could you give the latest a go to see
> if you still see the
> vanishing timestamp problem?
>
> Carter
>
> On Feb 11, 2011, at 4:50 AM, Rafael Barbosa wrote:
>
> Hi all,
>
> First my question: I've been playing around with racluster.conf to get a
> simple aggregation based on a time out period. What I want is to generate
> one flow record (5-tuple) every time a flow is idle (no traffic) for
> 5minutes or more. For that I used the following racluster.conf:
>
> filter="" status=0 idle=300
>
> In my test file (sample.pcap/sample.argus, attached) I have one single flow
> between two hosts that spans over almost 50 min. With the conf file above I
> expected to have only one record, as the flow is never idle for more that 5
> min. However I have 10 records as output, never bigger than 300 seconds.
> Is that the expected behavior? If so, how can I generate the output I want
> with argus?
>
>
> Now the bug:
> When using ra() version 3.0.3.19 to read sample.argus, the last record is
> displayed *without* a start time. ra() version 3.0.2 displays the start time
> correctly.
> When using clients version 3.0.3.19:
> $ racluster -r sample.argus -w sample.racluster
> $ ra  -r  sample.racluster
> ra[22170]: 10:47:58.899768 ArgusGenerateRecord: time format
> incorrect:388356
>
> Again version 3.0.2, does not have this problem
>
> Rafael Barbosa
> http://www.vf.utwente.nl/~barbosarr/
>
>  <racluster.conf><sample.argus><sample.pcap>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110214/b03aaa8d/attachment.html>

More information about the argus mailing list