Bug - rastrip modifies nonexisting vlan/mpls/jitter data

[elof2 at sentor.se]

I have an argus logfile which contain 25000 lines. It was collected from a 
NIC where there are no VLAN tagged traffic.

'ra -r argus.log - vlan' match nothing.

Now I run 'rastrip -M -vlan -r argus.log -w stripped.log'.
I think argus.log and stripped.log should be identical, but they are not.

At 67 random places within those 25000 lines there are differences even 
though there were no VLAN tags (and no "man" lines either).

When analyzing the differences all that seem to have been changed is the 
"lasttime" field.

Example:
Details from one of the 67 lines from argus.log:
stime:  12:07:46.704057
ltime:  12:07:50.584551
flgs:    M 
proto:  tcp
saddr:  8.2.1.8
sport:  63161
dir:    <?>
daddr:  2.1.2.1
dport:  42275
spkts:  2
dpkts:  1
sbytes: 167
dbytes: 66
state:  PA_A
sttl:   118
dttl:   63
smac:   0:b0:c2:38:18:0
dmac:   0:4:23:45:a4:94
suser:  s[35]=...i.d......r...L.2.P.v..j5....65.c
duser:

The same details from stripped.log look identical except for:
ltime:  12:07:50.586112

The other 66 differences all diff on the ltime field.

...all other >24000 lines are identical.

The filesizes of argus.log and stripped.log are strange! Stripped.log is a 
little bit bigger than the original.

argus.log:   7 369 564 bytes
stripped.log 7 599 048 bytes



The sniffed traffic contain no mpls tags either. I now try running
'rastrip -M -mpls -r argus.log -w stripped.log' and get the identical 
result:
argus.log:   7 369 564 bytes
stripped.log 7 599 048 bytes
67 differences on the same ltime fiels on the same lines.


The argus.log file contain no jitter information.
I run 'rastrip -M -jitter -r argus.log -w stripped.log'
The same result as above:
argus.log:   7 369 564 bytes
stripped.log 7 599 048 bytes
67 differences on the same ltime fiels on the same lines.



As in the previous emails I sent, this is using rastrip Version 3.0.4.1 on 
FreeBSD 7.4 AMD64.

Note, the 25000 lines of data in argus.log are captured using argus 
3.0.2, not 3.0.4.

/Elof