argus error message

[Carter Bullard]

Hey Mike,
Something is connecting to your argus collectors and testing the port(s).
The argus protocol is pretty simple, but is formal, in that argus/radium
output processors are expecting the argus protocol, and if they don’t
get it, they hang up after a while.

I suspect a management scanner is testing your collector ports.
They maybe trying all the ports on the collectors, or they are just going
after the argus 561 port ??

Thanks for the libpcap bug report.  Glad a newer version works for
you.  I always develop/release with the latest versions of libpcap,
so that is the best version to use !!!

Hope all is most excellent,

Carter

> On Nov 20, 2014, at 9:16 PM, MN <m.newton at stanford.edu> wrote:
> 
> 
> Hi Carter - on Ubuntu 14.04.1 LTS, pcap 1.6.2, argus 3.0.8 (I've changed
> control characters to ^x to prevent mailers from experiencing too much
> anxiety):
> 
>  ArgusWarning: 18 Nov 14 10:12:43.685476 ArgusCheckClientMessage: received ^x
>  ArgusWarning: 18 Nov 14 10:12:43.726362 ArgusCheckClientMessage: received ^d^a
>  ArgusWarning: 18 Nov 14 10:12:43.779023 ArgusCheckClientMessage: received l
>  ArgusWarning: 18 Nov 14 10:12:43.838211 ArgusCheckClientMessage: received 8HKCEJ:^\q]huo$5^\%
>  ArgusWarning: 18 Nov 14 10:12:43.929395 ArgusCheckClientMessage: received status
> 
>  ArgusWarning: 18 Nov 14 10:12:43.978500 ArgusCheckClientMessage: received ^r^a
>  ArgusWarning: 18 Nov 14 10:12:44.421381 ArgusCheckClientMessage: client noname never started: timed out
>  ArgusWarning: 18 Nov 14 10:12:44.581236 ArgusCheckClientMessage: client noname never started: timed out
>  ArgusWarning: 18 Nov 14 10:12:44.760099 ArgusCheckClientMessage: client noname never started: timed out
>  ArgusWarning: 18 Nov 14 10:12:44.910570 ArgusCheckClientMessage: client noname never started: timed out
>  ArgusWarning: 18 Nov 14 10:12:45.114734 ArgusCheckClientMessage: client noname never started: timed out
>  ArgusWarning: 18 Nov 14 10:12:48.294836 ArgusCheckClientMessage: client noname never started: timed out
>  ArgusWarning: 18 Nov 14 10:12:48.458081 ArgusCheckClientMessage: client noname never started: timed out
>  ArgusWarning: 18 Nov 14 10:12:48.590864 ArgusCheckClientMessage: client noname never started: timed out
>  ArgusWarning: 18 Nov 14 10:12:48.730317 ArgusCheckClientMessage: received ^p^a
>  ArgusWarning: 18 Nov 14 10:12:53.739017 ArgusCheckClientMessage: client noname never started: timed out
>  ArgusWarning: 18 Nov 14 10:12:53.883301 ArgusCheckClientMessage: received 
>  ArgusWarning: 18 Nov 14 10:12:59.022351 ArgusCheckClientMessage: client noname never started: timed out
>  ArgusWarning: 18 Nov 14 10:13:05.210904 ArgusCheckClientMessage: client noname never started: timed out
>  ArgusWarning: 18 Nov 14 10:13:06.443490 ArgusCheckClientMessage: received ^a
>  ArgusWarning: 18 Nov 14 10:14:19.888625 ArgusCheckClientMessage: client noname never started: timed out
> 
> 
> This happens roughly ever 5 days on our three busiest Argus collectors.
> It does not appear to affect flow collection.
> 
> Is it just some random TCP connection causing the problem?
> 
> Thanks,
> - mike
> 
> ps: libpcap 1.3.0 and some versions of Argus do not work well - random
> crashes every few days on 10gb connections.  We switched to 1.6.2 and
> these problems went away.
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141121/98dd469a/attachment.bin>