rastream 3.0.7.8, no suser duser

Carter Bullard carter at qosient.com
Tue May 14 22:23:37 EDT 2013 

Hey Matt,
Try this included version of radump.c.  It should fix your bug.
Copy this into ./examples/radump, and recompile.

   % cp radump.c /path/to/your/clients/root/examples/radump
   % cd  /path/to/your/clients/root/examples/radump
   % make
   % ../../bin/radump -r argus.files -s suser

Carter 


Here is the patch, to see the changes.  Not many.....

osiris:radump carter$ p4 diff ...
==== //depot/argus/clients/examples/radump/radump.c#6 - /Users/carter/argus/clients/examples/radump/radump.c ====
298a299,301
>    if ((user = (struct ArgusDataStruct *)argus->dsrs[ind]) == NULL)
>       return (ArgusBuf);
> 
308d310
<    if ((user = (struct ArgusDataStruct *)argus->dsrs[ind]) != NULL) {
314c316
<    }
---
> 

Carter 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: radump.c
Type: application/octet-stream
Size: 23001 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130514/0c329e32/attachment.obj>
-------------- next part --------------


On May 14, 2013, at 12:09 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Matt,
> If your radump() is having problems, send me a small file that has the records
> that it dumps on, so I can fix it.  Please send the command line options you're
> using, so I can replicate the bug.
> 
> radump() will try to decode the contents of the user data buffers, like tcpdump()
> decodes packet data, so you can figure out what protocols are running on a
> give flow.  We support a good number of protocol decodes, but not all of them,
> so you maybe pushing an unknown protocol through radump() or you're not
> capturing enough data to fully process a specific header type.
> 
> Not sure what radump() will do if there isn't user data to decode… It should be
> fine……..
> 
> Most people will just printout the contents using ra(), which will simply print
> the contents out in ascii.  Most are looking for URL's, DNS names, etc…
> which are in ascii.
> 
> Carter
> 
> On May 14, 2013, at 12:00 PM, Matt Brown <matthewbrown at gmail.com> wrote:
> 
>> Thanks Dave.
>> 
>> I found a thread where carter suggested using radump to see suser and
>> duser.  I can see some ARP contents, but radump quickly segfaults. Why
>> is this?
>> 
>> I'm guessing rastream saves some amount of these fields by default?
>> 
>> I can not see these field contents with ra or racluster.  Does this make sense?
>> 
>> 
>> Thanks for the reply,
>> 
>> Matt
>> 
>> 
>> On May 14, 2013, at 11:51 AM, Dave Edelman <dedelman at iname.com> wrote:
>> 
>>> You need to tell argus to collect that data with the -U nnn option where nnn
>>> is the number of bytes of user data you want to keep for each flow.
>>> 
>>> --Dave
>>> 
>>>> -----Original Message-----
>>>> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
>>>> [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu]
>>>> On Behalf Of Matt Brown
>>>> Sent: Tuesday, May 14, 2013 10:51 AM
>>>> To: argus-info at lists.andrew.cmu.edu
>>>> Subject: [ARGUS] rastream 3.0.7.8, no suser duser
>>>> 
>>>> Hello all/Carter,
>>>> 
>>>> I am using rastream to write argus data to files.
>>>> 
>>>> When I query these files using ra or racluster, suser and duser are
>>>> not returning any data.
>>>> 
>>>> I'm guessing it isn't being written by rastream which has been started
>>>> as follows:
>>>> 
>>>> rastream -S 127.0.0.1:561 -B 15s -M time 1h -w
>>>> /var/opt/argus/%Y-%m-%d/argus_%T -f /usr/local/bin/rastream.sh
>>>> 
>>>> How do I use rastream to record N bytes of suser and duser?
>>>> 
>>>> 
>>>> Thanks,
>>>> 
>>>> Matt
>>> 
>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130514/0c329e32/attachment.bin>

More information about the argus mailing list