Proto 0 not displaying in ra

Carter Bullard carter at qosient.com
Mon Jun 24 10:57:41 EDT 2013 

Hey Jesse, David,
The proto 0 should be an argus artifact, an internal protocol
number so that we can process L2 and L3 protocol numbers
in the same code set, so you shouldn't see that.

Zero should be illegal for L2 and L3. We make a distinction
between IPv6 options and the next header protocol number.

Very curious that IANA doesn't make that distinction.  That
seems like an error.

David is right, with an " - ip " filter, does it go away?
Got some data you can share that generates the error, so I
can check it out?

Carter


On Jun 20, 2013, at 8:49 PM, "David Edelman" <dedelman at iname.com> wrote:

> Jesse,
>  
> I’m not sure that  your filter expression is valid. If you are looking for any of the IP related protocols then this does work on 3.0.7.10.  When I use a  filter of – proto 0  it does not provide any records
>  
> racount -M proto -M addr -r * - ip
> racount   records     total_pkts     src_pkts       dst_pkts      total_bytes        src_bytes          dst_bytes
>     sum   2896        13853          7739           6114          4833073            1107119            3725954
> Protocol Summary
>    icmp   95          296            296            0             40960              40960              0
>    igmp   354         354            354            0             22656              22656              0
>     tcp   1172        10855          5375           5480          3983163            443295             3539868
>     udp   1252        2291           1657           634           775907             589821             186086
>    ipv6   12          24             24             0             2064               2064               0
>     udp   3           4              4              0             1914               1914               0
>     udp   7           29             29             0             6409               6409               0
> Address Summary
>   IPv4 Unicast              src 1           dst 45
>   IPv4 Unicast This Network src 1           dst 1
>   IPv4 Unicast Private      src 18          dst 8
>   IPv4 Unicast Reserved     src 1           dst 24
>   IPv4 Multicast Local      src 0           dst 4
>   IPv4 Multicast Internet   src 0           dst 2
>   IPv4 Multicast Reserved   src 0           dst 1
>   IPv4 Multicast SiteLocal  src 0           dst 1
>   IPv6 LinkLocal            src 10          dst 0
>   IPv6 Multicast Link Local src 0           dst 10
>  
> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On Behalf Of Jesse Bowling
> Sent: Thursday, June 20, 2013 2:53 PM
> To: argus-info
> Subject: [ARGUS] Proto 0 not displaying in ra
>  
> Hi,
> 
> So I started with an racount:
> 
> # racount -M proto -M addr -r 6-18-13.argus
> <snip>
> racount   records     total_pkts     src_pkts       dst_pkts       total_bytes        src_bytes          dst_bytes
>       0   1148        6377           6377           0              2710225            2710225            0
> </snip>
> 
> I found that interesting so I wanted to look at the original records:
> 
> # ra -r 6-18-13.argus - proto 0
> #
>  
> I'm using 3.0.7.9, and this appears to be a bug...Let me know if I can help debug...
> 
> Cheers,
> 
> Jesse
> -- 
> Jesse Bowling
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130624/71935721/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130624/71935721/attachment.bin>

More information about the argus mailing list