ICMP records of an unusual size

Jesse Bowling jessebowling at gmail.com
Sat Mar 29 20:44:16 EDT 2014 

I have some flows with duration zero, but they don't seem to match up with
the R.U.S:
                     StartTime  Proto  Sport   Dir  Dport
TotPkts             TotBytes        Dur
      03/25/14 11:09:49.460105      1 0x0303   <->
0x62ea                    2                   61   0.069073
      03/25/14 11:09:49.473637      1 0x0303   <-  0x60ea
2182690890685501     2495973268128260   0.028096
      03/25/14 11:11:26.413780      1 0x0303   <-  0x68ea
1910394259086494     1915658761929220   0.032138
      03/25/14 11:11:26.427968      1 0x0303   <-  0x6aea
2019091291413663      612496964846084   0.006739
      03/25/14 11:11:52.824234      1 0x0303    ->
0x72ea                    1                   70   0.000000
      03/25/14 11:11:52.832111      1 0x0303    ->
0x70ea                    1                   70   0.000000
      03/25/14 11:12:46.868043      1 0x0303    -> 0x78ea
1280                34305   0.010306
      03/25/14 11:12:46.878386      1 0x0303   <-  0x76ea
3837314156567791      167070201545220   0.011786
      03/25/14 11:13:02.693644      1 0x0303    ->
0x62ea                    1                   70   0.000000
      03/25/14 11:13:02.693721      1 0x0303    ->
0x64ea                    1                   70   0.000000


Cheers,

Jesse


On Sat, Mar 29, 2014 at 2:51 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Jesse,
> What was the duration of these flows ??  If zero, we had a bug a while
> back where splitting records used an uninitialed chunk of memory.
> If the duration is zero (only one packet) I'm thinking this maybe the
> result of that bug  ??
>
> Carter
>
>
>
> > On Mar 29, 2014, at 1:12 PM, Jesse Bowling <jessebowling at gmail.com>
> wrote:
> >
> > I noticed a few odd records in our argus data the other day, and I'm a
> bit stumped as to how they might have gotten there...I see these:
> >
> >                      StartTime                 LastTime  Proto  Sport
> Dir  Dport              TotPkts             TotBytes
> >       03/25/14 11:09:49.473637 03/25/14 11:09:49.501733      1 0x0303
> <-  0x60ea     2182690890685501     2495973268128260
> >       03/25/14 11:11:26.413780 03/25/14 11:11:26.445918      1 0x0303
> <-  0x68ea     1910394259086494     1915658761929220
> >       03/25/14 11:11:26.427968 03/25/14 11:11:26.434707      1 0x0303
> <-  0x6aea     2019091291413663      612496964846084
> >       03/25/14 11:12:46.878386 03/25/14 11:12:46.890172      1 0x0303
> <-  0x76ea     3837314156567791      167070201545220
> >
> > These records all had the same source and destination address. Does
> anyone have a theory? My guess is either corruption of the data (seems
> unlikely in this case) or perhaps something had issue parsing these
> particular records (racluster, rasplit)?
> >
> > Any suggestions from the list on how I might figure out more about these
> records or how they might have been generated?
> >
> > Cheers,
> >
> > Jesse
> > --
> > Jesse Bowling
> >
>



-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140329/155974ae/attachment.html>

More information about the argus mailing list