Bug - rastrip modifies nonexisting vlan/mpls/jitter data

Carter Bullard carter at qosient.com
Tue Mar 29 11:14:16 EDT 2011 

/Elof,
If you could send the original data file, I can debug tonight.  FTP to qosient.com/incoming.  I'll keep it private.

I've fixed most of the bugs you've reported in transit this morning, so keep the reports coming!

Carter

On Mar 29, 2011, at 11:06 AM, elof2 at sentor.se wrote:

> 
> I have an argus logfile which contain 25000 lines. It was collected from a NIC where there are no VLAN tagged traffic.
> 
> 'ra -r argus.log - vlan' match nothing.
> 
> Now I run 'rastrip -M -vlan -r argus.log -w stripped.log'.
> I think argus.log and stripped.log should be identical, but they are not.
> 
> At 67 random places within those 25000 lines there are differences even though there were no VLAN tags (and no "man" lines either).
> 
> When analyzing the differences all that seem to have been changed is the "lasttime" field.
> 
> Example:
> Details from one of the 67 lines from argus.log:
> stime:  12:07:46.704057
> ltime:  12:07:50.584551
> flgs:    M proto:  tcp
> saddr:  8.2.1.8
> sport:  63161
> dir:    <?>
> daddr:  2.1.2.1
> dport:  42275
> spkts:  2
> dpkts:  1
> sbytes: 167
> dbytes: 66
> state:  PA_A
> sttl:   118
> dttl:   63
> smac:   0:b0:c2:38:18:0
> dmac:   0:4:23:45:a4:94
> suser:  s[35]=...i.d......r...L.2.P.v..j5....65.c
> duser:
> 
> The same details from stripped.log look identical except for:
> ltime:  12:07:50.586112
> 
> The other 66 differences all diff on the ltime field.
> 
> ...all other >24000 lines are identical.
> 
> The filesizes of argus.log and stripped.log are strange! Stripped.log is a little bit bigger than the original.
> 
> argus.log:   7 369 564 bytes
> stripped.log 7 599 048 bytes
> 
> 
> 
> The sniffed traffic contain no mpls tags either. I now try running
> 'rastrip -M -mpls -r argus.log -w stripped.log' and get the identical result:
> argus.log:   7 369 564 bytes
> stripped.log 7 599 048 bytes
> 67 differences on the same ltime fiels on the same lines.
> 
> 
> The argus.log file contain no jitter information.
> I run 'rastrip -M -jitter -r argus.log -w stripped.log'
> The same result as above:
> argus.log:   7 369 564 bytes
> stripped.log 7 599 048 bytes
> 67 differences on the same ltime fiels on the same lines.
> 
> 
> 
> As in the previous emails I sent, this is using rastrip Version 3.0.4.1 on FreeBSD 7.4 AMD64.
> 
> Note, the 25000 lines of data in argus.log are captured using argus 3.0.2, not 3.0.4.
> 
> /Elof
>

More information about the argus mailing list