argus timestamps corrupt

Carter Bullard carter at qosient.com
Thu Oct 3 14:43:13 EDT 2013 

Hey Torbjörn,
Can you give this simple patch a try ???
There are a number of bugs that I've found that I'll have fixes for
later today, but I'd like to know if this helps a bit.

These NetflowV9 records have some data elements that we're not
importing, such as NF_F_EVENT_TIME_MSEC.  So I'll get these
imported, and we'll see if we can't make the V9 support better.

Carter



thoth:common carter$ diff -c argus_import.c argus_import.c.new
*** argus_import.c	Thu Oct  3 14:36:48 2013
--- argus_import.c.new	Thu Oct  3 14:36:45 2013
***************
*** 1464,1471 ****
                       if (!(dsrindex & (1 << ARGUS_TIME_INDEX))) {
                          struct ArgusTimeObject *time = &canon.time;
                          time->src.start.tv_sec  += ArgusCiscoTvp->tv_sec;
- 
-                         time->src.start.tv_sec  += ArgusCiscoTvp->tv_sec;
                          time->src.start.tv_usec  = ((long)(ArgusSysUptime)%1000) * 1000;
   
                          if (time->src.start.tv_usec >= 1000000) {
--- 1464,1469 ----


Carter



On Sep 27, 2013, at 10:21 AM, Carter Bullard <carter at qosient.com> wrote:

> Hey Torbjörn,
> All timestamps corrupt ??   V9 or V5 ??  If V9, could be a template parsing problem.  Can you capture some packets where ra* corrupts, so I can reproduce ???  Need the templates as well, if V9.  
> 
> Carter
> 
>> On Sep 27, 2013, at 6:13 AM, Torbjorn.Wictorin at its.uu.se wrote:
>> 
>> hello,
>> 
>> I am running radium (3.0.7.16) to in order to collect netflow records.
>> Timestamps are corrupt, a lot of  1970-01-01 01:00:00 but some others 
>> also.
>> 
>> Also, I have tried with nfdump/nfsen and this gives reasonable timestamps,
>> so I do not think the routers are out-of-order.
>> 
>> If I remember correctly it was some problems with the argus daemon som 
>> years ago that was fixed with '-s ...', but radium is not libpcap, so
>> it cant be that, but maybe some other buffer thing?
>> 
>> 
>> Any ideas?
>> 
>> Torbjörn Wictorin,
>> Uppsala university
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20131003/9f6758e6/attachment.bin>

More information about the argus mailing list