Missing sport / dport for Argus 3.0.8
Kjell Tore Fossbakk via Argus-info
argus-info at lists.andrew.cmu.edu
Mon Apr 4 09:10:27 EDT 2016
Hello.
Im running Argus Version 3.0.8 (same with clients) with libpcap 1.5.3.
Previously we ran Argus Version 3.0.6.1 with libpcap 1.1.1.
We use ra with DELIMITERS "," and a list of fields, such as sport and
dport. If we have an ICMP with sport=0, or TCP/UDP with sport=0/dport=0 and
run this through both these Argus versiosn we get the following behavior;
Using Argus 3.0.6.1 with libpcap 1.1.1 we get 0x0000 as sport for ICMP.
Using Argus 3.0.6.1 with libpcap 1.1.1 we get 0 as sport / dport for
TCP/UDP.
For 3.0.0.6.1 we would seem to get sport 0 as icmp type=0, and sport 8 as
icmp type=8.
When Now, when we use the newest version;
Using Argus 3.0.8 with libpcap 1.5.3 we get <empty data> as sport for ICMP
where we got 0x0000 for 3.0.6.1
Using Argus 3.0.8 with libpcap 1.5.3 we get <empty data> as sport/dport for
TCP/UDP where we got sport/dport 0 for 3.0.6.1
By <empty data> we mean there is nothing between the delimited on the
output.
I'v tried to read ChangeLogs, CHANGES etc in argus, argus-clients, libpcap.
Also did a little "grepping" without much success.
So, something must have changed. Question is was the change in Argus or
libpcap? Was it deliberate, or is this a bug?
Kjell Tore
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160404/9ba88fd0/attachment.html>
More information about the argus
mailing list