ICMP records of an unusual size
Carter Bullard
carter at qosient.com
Sat Mar 29 14:51:07 EDT 2014
Hey Jesse,
What was the duration of these flows ?? If zero, we had a bug a while back where splitting records used an uninitialed chunk of memory.
If the duration is zero (only one packet) I'm thinking this maybe the result of that bug ??
Carter
> On Mar 29, 2014, at 1:12 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
>
> I noticed a few odd records in our argus data the other day, and I'm a bit stumped as to how they might have gotten there...I see these:
>
> StartTime LastTime Proto Sport Dir Dport TotPkts TotBytes
> 03/25/14 11:09:49.473637 03/25/14 11:09:49.501733 1 0x0303 <- 0x60ea 2182690890685501 2495973268128260
> 03/25/14 11:11:26.413780 03/25/14 11:11:26.445918 1 0x0303 <- 0x68ea 1910394259086494 1915658761929220
> 03/25/14 11:11:26.427968 03/25/14 11:11:26.434707 1 0x0303 <- 0x6aea 2019091291413663 612496964846084
> 03/25/14 11:12:46.878386 03/25/14 11:12:46.890172 1 0x0303 <- 0x76ea 3837314156567791 167070201545220
>
> These records all had the same source and destination address. Does anyone have a theory? My guess is either corruption of the data (seems unlikely in this case) or perhaps something had issue parsing these particular records (racluster, rasplit)?
>
> Any suggestions from the list on how I might figure out more about these records or how they might have been generated?
>
> Cheers,
>
> Jesse
> --
> Jesse Bowling
>
More information about the argus
mailing list