ICMP records of an unusual size

Carter Bullard carter at qosient.com
Sun Mar 30 13:06:08 EDT 2014 

Well, these are weird.  Any chance I can get a file with these records in them ??
So, any sense as to how these are generated, are they coming right off of argus ??
Carter

On Mar 29, 2014, at 8:44 PM, Jesse Bowling <jessebowling at gmail.com> wrote:

> I have some flows with duration zero, but they don't seem to match up with the R.U.S:
>                      StartTime  Proto  Sport   Dir  Dport              TotPkts             TotBytes        Dur 
>       03/25/14 11:09:49.460105      1 0x0303   <-> 0x62ea                    2                   61   0.069073
>       03/25/14 11:09:49.473637      1 0x0303   <-  0x60ea     2182690890685501     2495973268128260   0.028096
>       03/25/14 11:11:26.413780      1 0x0303   <-  0x68ea     1910394259086494     1915658761929220   0.032138
>       03/25/14 11:11:26.427968      1 0x0303   <-  0x6aea     2019091291413663      612496964846084   0.006739
>       03/25/14 11:11:52.824234      1 0x0303    -> 0x72ea                    1                   70   0.000000
>       03/25/14 11:11:52.832111      1 0x0303    -> 0x70ea                    1                   70   0.000000
>       03/25/14 11:12:46.868043      1 0x0303    -> 0x78ea                 1280                34305   0.010306
>       03/25/14 11:12:46.878386      1 0x0303   <-  0x76ea     3837314156567791      167070201545220   0.011786
>       03/25/14 11:13:02.693644      1 0x0303    -> 0x62ea                    1                   70   0.000000
>       03/25/14 11:13:02.693721      1 0x0303    -> 0x64ea                    1                   70   0.000000
> 
> 
> Cheers,
> 
> Jesse
> 
> 
> On Sat, Mar 29, 2014 at 2:51 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Jesse,
> What was the duration of these flows ??  If zero, we had a bug a while back where splitting records used an uninitialed chunk of memory.
> If the duration is zero (only one packet) I'm thinking this maybe the result of that bug  ??
> 
> Carter
> 
> 
> 
> > On Mar 29, 2014, at 1:12 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
> >
> > I noticed a few odd records in our argus data the other day, and I'm a bit stumped as to how they might have gotten there...I see these:
> >
> >                      StartTime                 LastTime  Proto  Sport   Dir  Dport              TotPkts             TotBytes
> >       03/25/14 11:09:49.473637 03/25/14 11:09:49.501733      1 0x0303   <-  0x60ea     2182690890685501     2495973268128260
> >       03/25/14 11:11:26.413780 03/25/14 11:11:26.445918      1 0x0303   <-  0x68ea     1910394259086494     1915658761929220
> >       03/25/14 11:11:26.427968 03/25/14 11:11:26.434707      1 0x0303   <-  0x6aea     2019091291413663      612496964846084
> >       03/25/14 11:12:46.878386 03/25/14 11:12:46.890172      1 0x0303   <-  0x76ea     3837314156567791      167070201545220
> >
> > These records all had the same source and destination address. Does anyone have a theory? My guess is either corruption of the data (seems unlikely in this case) or perhaps something had issue parsing these particular records (racluster, rasplit)?
> >
> > Any suggestions from the list on how I might figure out more about these records or how they might have been generated?
> >
> > Cheers,
> >
> > Jesse
> > --
> > Jesse Bowling
> >
> 
> 
> 
> -- 
> Jesse Bowling
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140330/437efde6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140330/437efde6/attachment.bin>

More information about the argus mailing list