[ARGUS] ARGUSBug Argus server occasionally generates an invalid meter DSR in a flow record
Reed, Joel via Argus-info
argus-info at lists.andrew.cmu.edu
Wed Feb 27 14:01:13 EST 2019
>Description:
The Argus server occasionally generates a flow record with a meter DSR that is not properly parsed by the ra client. This causes the packet, byte, and appbytes counts to be incorrect, usually containing at least some count values from the previous flow record. Below I have included a partial dump of the of the problematic flow record. The meter DSR subtype 0x04 (includes app bytes) has a qualifier of 0x00. The meter DSR parser (common/argus_client.c:~2223) does not have a case to process a meter DSR subtype 0x04, qualifier of 0x00.
Partial hex dump of the flow record:
01: 13 20 00 39 -- Type 0x10 (FAR), version 3, 0x20 continuation, length 0x39
02: 01 03 00 03 -- Transport DSR
03: 00 00 00 00 |
04: e1 12 61 ff |
05: 02 01 01 05 -- Flow DSR
06: a0 5b 56 4a |
07: a0 5b 5e a9 |
08: 06 00 03 ff |
09: 08 01 00 00 |
0a: 03 02 18 05 -- Time DSR
0b: 5c 76 ad d0 |
0c: 00 07 88 2f |
0d: 5c 76 ad f0 |
0e: 00 05 41 67 |
0f: 10 04 00 05 -- Meter DSR, subtype 0x04, qualifier 0x00, length 0x05
10: 30 00 00 01 |
11: 40 00 01 02 |
12: 01 f4 00 00 |
13: 48 00 01 02 |
14: 30 05 00 1e -- Network DSR
15: ...
>How-To-Repeat:
Unknown. We see approximately one of these per hour.
>Fix:
Unknown.
>Originator: Joel Reed <reedjw at ornl.gov<mailto:reedjw at ornl.gov>>
>Organization:
ORNL
>ARGUS support: none
>Release: argus-3.0
>Product: argus
>Synopsis: Argus server occasionally generates an invalid meter DSR in a flow record
>Class: sw-bug
>Severity: non-critical
>Priority: low
>Environment:
ARGUS: Argus Version 3.0.8.2
RA: Ra Version 3.0.8.2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20190227/cf7c7154/attachment.html>
More information about the argus
mailing list