rabins bug?
Jesper Skou Jensen
jesper.skou.jensen at uni-c.dk
Wed Feb 15 08:11:11 EST 2012
Hi guys,
I'm playing a bit with rabins and ragraph and I've run into a small
problem, maybe a bug?
I'm using argus clients Version 3.0.5.30 (also tried 3.0.5.14 with the
same result).
The source Argus logfiles are 24 hours log, split into 15 minute .gz files.
Here's the problem:
***
rabins -r /arguslogs/2012-02/14/*.gz -t c2012/02/14 -m proto dport -M
hard time 30s -w 2012-02-14.rabins - 'net 10.0.0.0/24 and ((tcp and syn
and synack) or udp)'
racluster -r 2012-02-14.rabins -w- - not frag |rasort -m pkts -w-|ra -N
100 -s dport -n -L -1 > top100ports.txt
ragraph bytes dport -M time 30s -r 2012-02-14.rabins -w
2012-02-14.rabins.rabins.top100ports_bytes.graph.png - port \(`sed -e
"2,\\$s/^/or /" top100ports.txt` \)
***
Depending on the timeperiod of the soruce argus files, I sometimes get
repeating lines in the top100ports.txt file, and I've investigated that
a bit further.
racluster -r 2012-02-14.rabins -n - not frag and src port not 0
This actually produces a handfull sessions/flows. This seems like a bug?
Shouldn't the "rabins ... dport" prevent exactly this?
--
Regards
Jesper Skou Jensen
More information about the argus
mailing list