BUG: ra output extra delimiter char for isis traffic

[elof2 at sentor.se]

Hi Carter!

Have you been able to reproduce this and find a fix?

/Elof


On Thu, 13 Apr 2017, elof2 at sentor.se wrote:
> Bug report:
>
> Today my argus sensor started seeing isis packets in its monitored traffic.
> This made my ra cronjob constantly fail, since it suddenly received more 
> output columns than expected.
>
>
> I narrowed it down to this:
>
> When you use the -c option to 'ra'
> AND
> you print the "dport" field
> AND
> your argus logfile contain isis traffic
>
> then 'ra' erroneously adds an extra delimiter char after the dport value.
>
>
> Example:
> ra -c ',' -nr /usr/sentor/48h/argus-20170413.1341.log -s stime proto dport 
> smac dmac saddr daddr | grep -C2 'isis' | head -5
> 13:36:40.251669,udp,53,00:15:5d:01:22:02,00:00:5e:00:01:17,10.10.10.10,222.222.222.222
> 13:36:40.251739,udp,53,0c:c4:7a:59:32:62,02:e0:52:3d:5e:01,111.111.111.111,222.222.222.222
> 13:36:40.257987,isis,0x74ba,,74:8e:f8:a9:e9:83,09:00:2b:00:00:05,748e.f8a9.c540.00-00,0x7f650000
> 13:36:40.259831,tcp,58918,dc:4a:3e:77:56:2c,00:00:5e:00:01:09,10.11.11.11,10.100.100.100
> 13:36:40.262557,tcp,443,dc:4a:3e:77:56:2c,00:00:5e:00:01:09,10.22.22.22,55.55.55.55
>
> See the third column in the middle line, it says "0x74ba," instead of 
> "0x74ba".
> This makes this line #3 contain 8 columns while lines #1, #2, #4 and #5 
> contain 7 columns.
>
> Other protocols are printed just fine, only isis seem to be affected.
>
>
>
> Ra Version 3.0.8.2 on FreeBSD 10.3 amd64
>
> My temporary workaround is now to filter out this traffic from entering the 
> argus logfile in the first place:
> /etc/argus.conf:
> ARGUS_FILTER="not ether dst 09:00:2b:00:00:05"
>
> /Elof
>