rasql sco dco problem

Carter Bullard carter at qosient.com
Fri May 16 13:22:01 EDT 2014 

Hey Dave, 
OK, so I have fixes in for this.  It impacts all aggregators, so
you'll need to grab the next release, which I'll push up later today.

Carter 

On May 16, 2014, at 12:58 PM, David Edelman <dedelman at iname.com> wrote:

> That is correct. 
> 
> Dave Edelman
> 
> 
>> On May 16, 2014, at 11:16, Carter Bullard <carter at qosient.com> wrote:
>> 
>> Hey Dave,
>> So far in my testing, the IP address / country codes are correct in the database,
>> but rasql() seems to mix the addresses up when reading the database table
>> record.  Are you seeing the same thing ???
>> 
>> mysql> select saddr,sco,daddr,dco from argus.matrix_2014_05_11 where saddr='160.125.129.107';
>> 
>> Carter
>> 
>>> On May 16, 2014, at 7:18 AM, Carter Bullard <carter at qosient.com> wrote:
>>> 
>>> Hey Dave,
>>> I can replicate this here, so I'll try to fix today.
>>> Carter
>>> 
>>>> On May 15, 2014, at 5:48 PM, David Edelman <dedelman at iname.com> wrote:
>>>> 
>>>> Carter,
>>>> 
>>>> This appears to be a problem for some time, not specific to 3.0.7.26 but you
>>>> might want to look at it. The data were written with 3.0.7.26 but I can make
>>>> it happen with previous versions as well. Using matrix as a component of the
>>>> aggregation may change the order of the source and destination of the output
>>>> flow record, but it doesn't seem to reorder the sco and dco components to
>>>> reflect that. I can understand if it doesn't modify the labels but since I
>>>> can filter on sco and dco it would be nice to have them move along with the
>>>> addresses.
>>>> 
>>>> 123.123.x is allocated to China, 160.125.129.107 is redacted but the
>>>> original was allocated to the US and I preserved the relative magnitude of
>>>> the two addresses to maintain the ordering in the matrix value.
>>>> 
>>>> --Dave
>>>> 
>>>> 
>>>> rasqlinsert -M time 1d -M cache -S localhost:561 -w
>>>> mysql://argus@localhost/argus/matrix_%Y_%m_%d   -m srcid matrix proto -s
>>>> ltime dur srcid saddr daddr bytes proto sco dco -d
>>>> 
>>>> 
>>>> 
>>>> rasql -t -5d -r mysql:argus/matrix_%Y_%m_%d -M time 1d -M sql="saddr like
>>>> '123.123.%'" -w - | ra
>>>>                     StartTime      Flgs  Proto         TcpOpt
>>>> SrcAddr        Sport sCo   Dir dCo            DstAddr        Dport
>>>> State  Trans  TotPkts   TotBytes
>>>>   Thu 2014-05-15 21:14:54.611 Ne           tcp
>>>> 160.125.129.107               CN    ->  US    123.123.123.123
>>>> REQ      1        3        144
>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140516/9615805c/attachment.bin>

More information about the argus mailing list