rasql sco dco problem

David Edelman dedelman at iname.com
Fri May 16 12:58:42 EDT 2014 

That is correct. 

Dave Edelman


> On May 16, 2014, at 11:16, Carter Bullard <carter at qosient.com> wrote:
> 
> Hey Dave,
> So far in my testing, the IP address / country codes are correct in the database,
> but rasql() seems to mix the addresses up when reading the database table
> record.  Are you seeing the same thing ???
> 
> mysql> select saddr,sco,daddr,dco from argus.matrix_2014_05_11 where saddr='160.125.129.107';
> 
> Carter
> 
>> On May 16, 2014, at 7:18 AM, Carter Bullard <carter at qosient.com> wrote:
>> 
>> Hey Dave,
>> I can replicate this here, so I'll try to fix today.
>> Carter
>> 
>>> On May 15, 2014, at 5:48 PM, David Edelman <dedelman at iname.com> wrote:
>>> 
>>> Carter,
>>> 
>>> This appears to be a problem for some time, not specific to 3.0.7.26 but you
>>> might want to look at it. The data were written with 3.0.7.26 but I can make
>>> it happen with previous versions as well. Using matrix as a component of the
>>> aggregation may change the order of the source and destination of the output
>>> flow record, but it doesn't seem to reorder the sco and dco components to
>>> reflect that. I can understand if it doesn't modify the labels but since I
>>> can filter on sco and dco it would be nice to have them move along with the
>>> addresses.
>>> 
>>> 123.123.x is allocated to China, 160.125.129.107 is redacted but the
>>> original was allocated to the US and I preserved the relative magnitude of
>>> the two addresses to maintain the ordering in the matrix value.
>>> 
>>> --Dave
>>> 
>>> 
>>> rasqlinsert -M time 1d -M cache -S localhost:561 -w
>>> mysql://argus@localhost/argus/matrix_%Y_%m_%d   -m srcid matrix proto -s
>>> ltime dur srcid saddr daddr bytes proto sco dco -d
>>> 
>>> 
>>> 
>>> rasql -t -5d -r mysql:argus/matrix_%Y_%m_%d -M time 1d -M sql="saddr like
>>> '123.123.%'" -w - | ra
>>>                      StartTime      Flgs  Proto         TcpOpt
>>> SrcAddr        Sport sCo   Dir dCo            DstAddr        Dport
>>> State  Trans  TotPkts   TotBytes
>>>    Thu 2014-05-15 21:14:54.611 Ne           tcp
>>> 160.125.129.107               CN    ->  US    123.123.123.123
>>> REQ      1        3        144
>

More information about the argus mailing list