A bug and a question

Carter Bullard carter at qosient.com
Mon Feb 14 08:16:28 EST 2011 

Hey Rafael,
Cool, and sorry for the typo.  I'll add it to the baseline today.
Carter

On Feb 14, 2011, at 4:32 AM, Rafael Barbosa wrote:

> I confirm that version 3.0.3.22 solves the vanishing timestamp problem in this test.
> 
> Your patch for the idle timestamp seems to be working in all my tests. However there is a typo on your code, one extra parenthesis. This is the correct one:
> 
> dur = ((nslt < tnsst) ? (tnsst - nslt) : (tnslt < nsst) ? (nsst - tnslt) : 0.0);
> 
> 
> Rafael Barbosa
> http://www.vf.utwente.nl/~barbosarr/
> 
> 
> 
> On Fri, Feb 11, 2011 at 9:58 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Rafael,
> I uploaded argus-clients-3.0.3.22 last week.  With this version on my Mac OS X 64-bit machine,
> I don't see the bug you are seeing.  Could you give the latest a go to see if you still see the
> vanishing timestamp problem?
> 
> Carter
> 
> On Feb 11, 2011, at 4:50 AM, Rafael Barbosa wrote:
> 
>> Hi all,
>> 
>> First my question: I've been playing around with racluster.conf to get a simple aggregation based on a time out period. What I want is to generate one flow record (5-tuple) every time a flow is idle (no traffic) for 5minutes or more. For that I used the following racluster.conf:
>> 
>> filter="" status=0 idle=300
>> 
>> In my test file (sample.pcap/sample.argus, attached) I have one single flow between two hosts that spans over almost 50 min. With the conf file above I expected to have only one record, as the flow is never idle for more that 5 min. However I have 10 records as output, never bigger than 300 seconds. 
>> Is that the expected behavior? If so, how can I generate the output I want with argus?
>> 
>> 
>> Now the bug:
>> When using ra() version 3.0.3.19 to read sample.argus, the last record is displayed *without* a start time. ra() version 3.0.2 displays the start time correctly.
>> When using clients version 3.0.3.19:
>> $ racluster -r sample.argus -w sample.racluster
>> $ ra  -r  sample.racluster
>> ra[22170]: 10:47:58.899768 ArgusGenerateRecord: time format incorrect:388356
>> 
>> Again version 3.0.2, does not have this problem
>> 
>> Rafael Barbosa
>> http://www.vf.utwente.nl/~barbosarr/
>> 
>> <racluster.conf><sample.argus><sample.pcap>
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110214/7bd5acb4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110214/7bd5acb4/attachment.bin>

More information about the argus mailing list