rasql sco dco problem

[Carter Bullard]

Hey Dave,
I can replicate this here, so I'll try to fix today.
Carter

On May 15, 2014, at 5:48 PM, David Edelman <dedelman at iname.com> wrote:

> Carter,
> 
> This appears to be a problem for some time, not specific to 3.0.7.26 but you
> might want to look at it. The data were written with 3.0.7.26 but I can make
> it happen with previous versions as well. Using matrix as a component of the
> aggregation may change the order of the source and destination of the output
> flow record, but it doesn't seem to reorder the sco and dco components to
> reflect that. I can understand if it doesn't modify the labels but since I
> can filter on sco and dco it would be nice to have them move along with the
> addresses.
> 
> 123.123.x is allocated to China, 160.125.129.107 is redacted but the
> original was allocated to the US and I preserved the relative magnitude of
> the two addresses to maintain the ordering in the matrix value.
> 
> --Dave
> 
> 
> rasqlinsert -M time 1d -M cache -S localhost:561 -w
> mysql://argus@localhost/argus/matrix_%Y_%m_%d   -m srcid matrix proto -s
> ltime dur srcid saddr daddr bytes proto sco dco -d
> 
> 
> 
> rasql -t -5d -r mysql:argus/matrix_%Y_%m_%d -M time 1d -M sql="saddr like
> '123.123.%'" -w - | ra
>                        StartTime      Flgs  Proto         TcpOpt
> SrcAddr        Sport sCo   Dir dCo            DstAddr        Dport
> State  Trans  TotPkts   TotBytes
>      Thu 2014-05-15 21:14:54.611 Ne           tcp
> 160.125.129.107               CN    ->  US    123.123.123.123
> REQ      1        3        144
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140516/b945e866/attachment.bin>