Re: argus-clients-3.0.0.rc.20

Re: argus-clients-3.0.0.rc.20

On Mon, Jul 31, 2006 at 07:16:49PM -0400, Carter Bullard wrote:
> Hey Peter,
> OK, some of these suggested patches are not really applicable, so pardon
> if I did not apply them all.  The ArgusConvertRecord bzero() does not  
> seem
> appropriate, and its expensive, so I didn't do that, but I did put in  
> a bzero()
> in ArgusGenerateRecordStruct(), which seems be more directed at
> your hunch that there may be data values lingering from record to  
> record.
> 
> I fixed the little endian problems with ip_id and printing out the  
> values
> after 2.x -> 3.0 conversion.
> 
> These changes should be up late tonight.
> 
> Carter
> 

	OK, but the lack of a clear does seem to be the problem there:

(gdb) l ArgusConvertRecord
12904   unsigned char *ArgusConvertRecord (struct ArgusInput *, char *);
12905
12906
12907   unsigned char *
12908   ArgusConvertRecord (struct ArgusInput *input, char *ptr)
12909   {
12910      if (input->ArgusConvBuffer == NULL)
12911         if ((input->ArgusConvBuffer = (u_char *)ArgusCalloc (1, MAXARGUSRECORD)) == NULL)
12912            ArgusLog (LOG_ERR, "ArgusCalloc error %s", strerror(errno));
12913
(gdb) b 12910
Breakpoint 1 at 0x8077bee: file ./argus_util.c, line 12910.
(gdb) r -Fra3.conf.full -rbadtcp2.argus
Starting program: /usr/local/bin/ra3 -Fra3.conf.full -rbadtcp2.argus
warning: Unable to get location for thread creation breakpoint: generic error
[New LWP 100085]
[New Thread 0x81c7000 (LWP 100085)]
[Switching to Thread 0x81c7000 (LWP 100085)]

	(the first time it calls calloc and all is well)

Breakpoint 1, ArgusConvertRecord (input=0x8212000, ptr=0xbfbfeb30 "\200\001")
    at ./argus_util.c:12910
12910      if (input->ArgusConvBuffer == NULL)
(gdb) s
12911         if ((input->ArgusConvBuffer = (u_char *)ArgusCalloc (1, MAXARGUSRECORD)) == NULL)
(gdb) 

	(the second time its still happy because the first was a man record)

(gdb) c
Continuing.

Breakpoint 1, ArgusConvertRecord (input=0x8212000, 
    ptr=0x8224000 "\001\004\001 ") at ./argus_util.c:12910
12910      if (input->ArgusConvBuffer == NULL)
(gdb) s
12914      switch (input->mode) {
(gdb) print *input->ArgusConvBuffer
$4 = 0 '\0'
(gdb) x/40xb input->ArgusConvBuffer
0x8214000:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x8214008:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x8214010:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x8214018:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x8214020:      0x00    0x00    0x00    0x00    0x

	(but by the third time we still have the last record in the buffer and
any values we don't over write will be from the previous record such as the
dest packets count (which this packet doesn't have so we don't re write) which
will cause invalid fields to be printed.)

(gdb)
c
Continuing.
StartTime,LastTime,Trans,Dur,AvgDur,SrcAddr,DstAddr,Proto,Sport,Dport,sTos,dTos,sTtl,dTtl,SrcBytes,DstBytes,SAppBytes,DAppBytes,SrcPkts,DstPkts,Src_bps,Dst_bps,Src_pps,Dst_pps,SrcLoss,DstLoss,SrcId,Flgs,SrcMac,DstMac,Dir,SrcJitter,DstJitter,State,srcUdata,dstUdata,SrcWin,DstWin,Seq,sMpls,dMpls,sVlan,dVlan,sIpId,dIpId
1151432428.834986,1151433529.662031,1,1100.827045,1100.827026,142.58.250.27,142.58.249.237,udp,2049,800,0,0,64,64,4521068,3178714,2499724,2259220,20760,19989,32855.793,23100.553,18.859,18.158,0,0,229.97.122.203,
v       ,0:2:b3:d8:98:6e,0:11:88:5:5d:1d,<->,,,CON,s[16]="fx..............",d[16]="gx..............",,,14,,,0x8200,0x8200,0x0000,0x0000

Breakpoint 1, ArgusConvertRecord (input=0x8212000, 
    ptr=0x8224120 "\001\004\001\204") at ./argus_util.c:12910
12910      if (input->ArgusConvBuffer == NULL)
(gdb) print input->ArgusConvBuffer
$10 = (unsigned char *) 0x8214000 "\024 U"
(gdb) x/400xb input->ArgusConvBuffer
0x8214000:      0x14    0x20    0x55    0x00    0x01    0x02    0x01    0x03
0x8214008:      0xcb    0x7a    0x61    0xe5    0x0e    0x00    0x00    0x00
0x8214010:      0x02    0x01    0x01    0x05    0x1b    0xfa    0x3a    0x8e
0x8214018:      0xed    0xf9    0x3a    0x8e    0x11    0x00    0x01    0x08
0x8214020:      0x20    0x03    0x00    0x00    0x03    0x02    0x18    0x05
0x8214028:      0xec    0x76    0xa1    0x44    0xaa    0xbd    0x0c    0x00
0x8214030:      0x39    0x7b    0xa1    0x44    0x0f    0x1a    0x0a    0x00
0x8214038:      0x10    0x04    0x04    0x0d    0x18    0x51    0x00    0x00
0x8214040:      0x00    0x00    0x00    0x00    0x6c    0xfc    0x44    0x00
0x8214048:      0x00    0x00    0x00    0x00    0x8c    0x24    0x26    0x00
0x8214050:      0x00    0x00    0x00    0x00    0x15    0x4e    0x00    0x00
0x8214058:      0x00    0x00    0x00    0x00    0xda    0x80    0x30    0x00
0x8214060:      0x00    0x00    0x00    0x00    0x14    0x79    0x22    0x00
0x8214068:      0x00    0x00    0x00    0x00    0x48    0x00    0x0f    0x05
0x8214070:      0x40    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x8214078:      0x40    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x8214080:      0x42    0x00    0x00    0x05    0x00    0x11    0x88    0x05
0x8214088:      0x5d    0x1d    0x00    0x02    0xb3    0xd8    0x98    0x6e
0x8214090:      0x81    0x00    0x00    0x00    0x40    0x00    0x03    0x02
0x8214098:      0x00    0x82    0x00    0x82    0x50    0x90    0x17    0x00
0x82140a0:      0x54    0x00    0x54    0x00    0x66    0x78    0xd2    0x9d
0x82140a8:      0x00    0x00    0x00    0x01    0x00    0x00    0x00    0x00
0x82140b0:      0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00

	I'll attach the two test files: badtcp.argus has only the one record
in it and does correctly on either version badtcp2.argus has the record before
it and will print incorrectly on ra3 (compared to badtcp.argus) because the 
dest values from the previous record are still there and not removed. 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

Re: argus-clients-3.0.0.rc.20

new release candidates clients.rc.22 and argus.rc.21

compile problems with argus-client (rc.22)

Hi ya,

get the following error

[...]
./argus_util.c: In function `ArgusNtoH':
./argus_util.c:10902: error: structure has no member named `status'
./argus_util.c:10902: error: structure has no member named `status'
./argus_util.c:10905: error: structure has no member named `status'
./argus_util.c:10905: error: structure has no member named `status'
./argus_util.c: In function `ArgusHtoN':
./argus_util.c:11305: error: structure has no member named `status'
./argus_util.c:11305: error: structure has no member named `status'
./argus_util.c:11308: error: structure has no member named `status'
./argus_util.c:11308: error: structure has no member named `status'
*** Error code 1

Stop in /tmp/argus-clients-3.0.0.rc.22/common.
[...]

My knowledge of C is not that great, so I couldn't figure out what the  
problem was.

Regards,

Robin Gruyters
Network and Security Engineer
Yirdis B.V.
I: http://yirdis.com
P: +31 (0)36 5300394
F: +31 (0)36 5489119

Re: compile problems with argus-client (rc.22)

Try again, I just uploaded new code to fix something that slipped  
through.
Sorry about that!!!

Carter

On Aug 1, 2006, at 3:10 AM, Robin Gruyters wrote:

> Hi ya,
>
> get the following error
>
> [...]
> ./argus_util.c: In function `ArgusNtoH':
> ./argus_util.c:10902: error: structure has no member named `status'
> ./argus_util.c:10902: error: structure has no member named `status'
> ./argus_util.c:10905: error: structure has no member named `status'
> ./argus_util.c:10905: error: structure has no member named `status'
> ./argus_util.c: In function `ArgusHtoN':
> ./argus_util.c:11305: error: structure has no member named `status'
> ./argus_util.c:11305: error: structure has no member named `status'
> ./argus_util.c:11308: error: structure has no member named `status'
> ./argus_util.c:11308: error: structure has no member named `status'
> *** Error code 1
>
> Stop in /tmp/argus-clients-3.0.0.rc.22/common.
> [...]
>
> My knowledge of C is not that great, so I couldn't figure out what  
> the problem was.
>
> Regards,
>
> Robin Gruyters
> Network and Security Engineer
> Yirdis B.V.
> I: http://yirdis.com
> P: +31 (0)36 5300394
> F: +31 (0)36 5489119
>

Re: argus-clients-3.0.0.rc.20

On Tue, Aug 01, 2006 at 02:35:22AM -0400, Carter Bullard wrote:
> Hey Peter,
> The parser->ArgusConvBuffer is used to build a TLV structure, and  
> ArgusGenerateRecordStruct
> parses the TLV and generates the argus record.  The ArgusConvBuffer  
> can have any amount of
> garbage in it, and not cause a problem, as long as the TLV is being  
> generated properly.
> By zeroing out the appropriate values in the  
> ArgusGenerateRecordStruct routine buffer,
> all the values should be initialized to zero, each time.
> 
> So this is the output that my ra() generates for the two files you  
> attached on a big endian machine.
> 
> ../bin/ra -r ~/Desktop/badtcp.argus -s +sipid +dipid -n
>         StartTime            Flgs   Proto      SrcAddr         
> Sport   Dir      DstAddr        Dport  SrcPkts  DstPkts      
> SrcBytes     DstBytes State   sIpId   dIpId
> 06/06/27 14:20:28.835259  v          tcp       
> 142.58.64.150.4074      ?>     216.239.57.104.80           24         
> 0         5227            0   FIN  0xa4ef
> 06/06/27 14:21:15.514446  v          tcp      
> 216.239.57.104.80        ?>      142.58.64.150.4074         13         
> 0         6178            0   FIN  0x7972
> 
> 
> ../bin/ra -r ~/Desktop/badtcp2.argus -s +sipid +dipid -n
>         StartTime            Flgs   Proto      SrcAddr         
> Sport   Dir      DstAddr        Dport  SrcPkts  DstPkts      
> SrcBytes     DstBytes State   sIpId   dIpId
> 06/06/27 14:20:28.834986  v          udp      142.58.250.27.2049      
> <->     142.58.249.237.800       20760    19989      4521068       
> 3178714   CON          0x0000
> 06/06/27 14:20:28.835259  v          tcp       
> 142.58.64.150.4074      ?>     216.239.57.104.80           24         
> 0         5227            0   FIN  0xa4ef
> 06/06/27 14:20:30.103319  v          udp     142.58.249.237.800       
> <->      142.58.250.27.2049      19976    20746      3176652       
> 4518840   CON          0xb9c4
> 06/06/27 14:21:15.514446  v          tcp      
> 216.239.57.104.80        ?>      142.58.64.150.4074         13         
> 0         6178            0   FIN  0x7972
> 
> 
> And here are the to files on a little endian machine:
> ../bin/ra -r /tmp/badtcp.argus -s +sipid +dipid -n
>         StartTime            Flgs   Proto      SrcAddr         
> Sport   Dir      DstAddr        Dport  SrcPkts  DstPkts      
> SrcBytes     DstBytes State   sIpId   dIpId
> 06/06/27 14:20:28.835259  v          tcp       
> 142.58.64.150.4074      ?>     216.239.57.104.80           24         
> 0         5227            0   FIN  0xa4ef
> 06/06/27 14:21:15.514446  v          tcp      
> 216.239.57.104.80        ?>      142.58.64.150.4074         13         
> 0         6178            0   FIN  0x7972
> 
> ../bin/ra -r /tmp/badtcp2.argus -s +sipid +dipid -n
>         StartTime            Flgs   Proto      SrcAddr         
> Sport   Dir      DstAddr        Dport  SrcPkts  DstPkts      
> SrcBytes     DstBytes State   sIpId   dIpId
> 06/06/27 14:20:28.834986  v          udp      142.58.250.27.2049      
> <->     142.58.249.237.800       20760    19989      4521068       
> 3178714   CON          0x0000
> 06/06/27 14:20:28.835259  v          tcp       
> 142.58.64.150.4074      ?>     216.239.57.104.80           24         
> 0         5227            0   FIN  0xa4ef
> 06/06/27 14:20:30.103319  v          udp     142.58.249.237.800       
> <->      142.58.250.27.2049      19976    20746      3176652       
> 4518840   CON          0xb9c4
> 06/06/27 14:21:15.514446  v          tcp      
> 216.239.57.104.80        ?>      142.58.64.150.4074         13         
> 0         6178            0   FIN  0x7972
> 
> 
> one thing puzzles me.  why are your flows unidirectional?  shouldn't  
> these be tallied
> as bidirectional flows?
> 
> Do you see a problem with the new ra output above (at least for ipid?).
> 
> Carter
>

	My bad for not providing enough details. While I'll try rc.21 in a 
while, I think this may not fix this problem. What is happening is the 
conversion buffer doesn't get cleared, and if there aren't any dst packets
(as in this case) but were dest packets in the last record, the count in the
dsr doesn't get cleared and the dst ttl, tos and ipid values get printed
when they shouldn't be (because there are no dst packets in this case):
	In this case ra3 is without the bzero of the buffer and ra3.new is 
with the bzero:

	here the first record correctly omits the dst tos, ttl and ipid fields
because there are not dest packets (this flow is single arm routed back on 
to the same network which is why the flow doesn't combine I expect, the MACs 
are different): 

%cd /var/log/argus
%ra3 -Fra3.conf.full -r
badtcp.argus
StartTime,LastTime,Trans,Dur,AvgDur,SrcAddr,DstAddr,Proto,Sport,Dport,sTos,dTos,sTtl,dTtl,SrcBytes,DstBytes,SAppBytes,DAppBytes,SrcPkts,DstPkts,Src_bps,Dst_bps,Src_pps,Dst_pps,SrcLoss,DstLoss,SrcId,Flgs,SrcMac,DstMac,Dir,SrcJitter,DstJitter,State,srcUdata,dstUdata,SrcWin,DstWin,Seq,sMpls,dMpls,sVlan,dVlan,sIpId,dIpId
1151432428.835259,1151432550.587752,1,121.752493,121.752495,142.58.64.150,216.239.57.104,tcp,4074,80,0,,128,,5227,0,3835,0,24,0,343.451,0.000,0.197,0.000,0,0,229.97.122.203,
v       ,0:13:ce:6:e2:bf,0:11:88:5:5d:1d,?>,,16163523.00,FIN,s[16]="GET
/pagead/imga",,17520,0,8695,,,0x0286,,0xa4ef,
1151432475.514446,1151432550.585041,1,75.070595,75.070595,216.239.57.104,142.58.64.150,tcp,80,4074,0,,255,,6178,0,5424,0,13,0,658.367,0.000,0.173,0.000,0,0,229.97.122.203,
v       ,0:11:88:5:5d:1d,0:13:ce:6:e2:bf,?>,,3601074.00,FIN,s[16]="HTTP/1.1 200 OK.",,8190,0,23380,,,0x0286,,0x7972,

	In this case there is a packet with both source and dest packets 
preceding the packet above. Because the conversion buffer wasn't cleared it
still has src and dst counts in the dsr and thus prints dst ttl tos and ipid
even though there aren't any dest packets. It gets the counts correctly from 
somewhere else in the record though so it does know there aren't any dst 
packets and the perl script flags the change in dst fields as wrong. 

%ra3 -Fra3.conf.full -r
badtcp2.argus
StartTime,LastTime,Trans,Dur,AvgDur,SrcAddr,DstAddr,Proto,Sport,Dport,sTos,dTos,sTtl,dTtl,SrcBytes,DstBytes,SAppBytes,DAppBytes,SrcPkts,DstPkts,Src_bps,Dst_bps,Src_pps,Dst_pps,SrcLoss,DstLoss,SrcId,Flgs,SrcMac,DstMac,Dir,SrcJitter,DstJitter,State,srcUdata,dstUdata,SrcWin,DstWin,Seq,sMpls,dMpls,sVlan,dVlan,sIpId,dIpId
1151432428.834986,1151433529.662031,1,1100.827045,1100.827026,142.58.250.27,142.58.249.237,udp,2049,800,0,0,64,64,4521068,3178714,2499724,2259220,20760,19989,32855.793,23100.553,18.859,18.158,0,0,229.97.122.203,
v      
,0:2:b3:d8:98:6e,0:11:88:5:5d:1d,<->,,,CON,s[16]="fx..............",d[16]="gx..............",,,14,,,0x8200,0x8200,0x0000,0x0000
1151432428.835259,1151432550.587752,1,121.752493,121.752495,142.58.64.150,216.239.57.104,tcp,4074,80,0,0,128,64,5227,0,3835,0,24,0,343.451,0.000,0.197,0.000,0,0,229.97.122.203,
v       ,0:13:ce:6:e2:bf,0:11:88:5:5d:1d,?>,,16163523.00,FIN,s[16]="GET
/pagead/imga",,17520,0,8695,,,0x0286,,0xa4ef,0x0000
1151432430.103319,1151433529.662021,1,1099.558702,1099.558716,142.58.249.237,142.58.250.27,udp,800,2049,0,0,63,63,3176652,4518840,2257756,2498140,19976,20746,23112.195,32877.480,18.167,18.868,0,0,229.97.122.203,
v      
,0:11:88:5:5d:1d,0:2:b3:d8:98:6e,<->,,,CON,s[16]="px..............",d[16]="px..............",,,1,,,0x8200,0x8200,0xb9c4,0xb9c4
1151432475.514446,1151432550.585041,1,75.070595,75.070595,216.239.57.104,142.58.64.150,tcp,80,4074,0,0,255,63,6178,0,5424,0,13,0,658.367,0.000,0.173,0.000,0,0,229.97.122.203,
v       ,0:11:88:5:5d:1d,0:13:ce:6:e2:bf,?>,,3601074.00,FIN,s[16]="HTTP/1.1 200 OK.",,8190,0,23380,,,0x0286,,0x7972,0xb9c4

	With the buffer cleared (which may well be overkill, only parts of it
need to be done) both cases work correctly. I chose to clear the whole buffer
to make sure there weren't any less obvious cases that were going to bite us. 

%ra3.new -Fra3.conf.full -r
badtcp2.argus
StartTime,LastTime,Trans,Dur,AvgDur,SrcAddr,DstAddr,Proto,Sport,Dport,sTos,dTos,sTtl,dTtl,SrcBytes,DstBytes,SAppBytes,DAppBytes,SrcPkts,DstPkts,Src_bps,Dst_bps,Src_pps,Dst_pps,SrcLoss,DstLoss,SrcId,Flgs,SrcMac,DstMac,Dir,SrcJitter,DstJitter,State,srcUdata,dstUdata,SrcWin,DstWin,Seq,sMpls,dMpls,sVlan,dVlan,sIpId,dIpId
1151432428.834986,1151433529.662031,1,1100.827045,1100.827026,142.58.250.27,142.58.249.237,udp,2049,800,0,0,64,64,4521068,3178714,2499724,2259220,20760,19989,32855.793,23100.553,18.859,18.158,0,0,229.97.122.203,
v      
,0:2:b3:d8:98:6e,0:11:88:5:5d:1d,<->,,,CON,s[16]="fx..............",d[16]="gx..............",,,14,,,0x8200,0x8200,0x0000,0x0000
1151432428.835259,1151432550.587752,1,121.752493,121.752495,142.58.64.150,216.239.57.104,tcp,4074,80,0,,128,,5227,0,3835,0,24,0,343.451,0.000,0.197,0.000,0,0,229.97.122.203,
v       ,0:13:ce:6:e2:bf,0:11:88:5:5d:1d,?>,,16163523.00,FIN,s[16]="GET
/pagead/imga",,17520,0,8695,,,0x0286,,0xa4ef,
1151432430.103319,1151433529.662021,1,1099.558702,1099.558716,142.58.249.237,142.58.250.27,udp,800,2049,0,0,63,63,3176652,4518840,2257756,2498140,19976,20746,23112.195,32877.480,18.167,18.868,0,0,229.97.122.203,
v      
,0:11:88:5:5d:1d,0:2:b3:d8:98:6e,<->,,,CON,s[16]="px..............",d[16]="px..............",,,1,,,0x8200,0x8200,0xb9c4,0xb9c4
1151432475.514446,1151432550.585041,1,75.070595,75.070595,216.239.57.104,142.58.64.150,tcp,80,4074,0,,255,,6178,0,5424,0,13,0,658.367,0.000,0.173,0.000,0,0,229.97.122.203,
v       ,0:11:88:5:5d:1d,0:13:ce:6:e2:bf,?>,,3601074.00,FIN,s[16]="HTTP/1.1 200 OK.",,8190,0,23380,,,0x0286,,0x7972,

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

Re: argus-clients-3.0.0.rc.21

	Well rc.21 indeed fixes the tos problem:

%ra3 -Fra3.conf.full -r
badtcp2.argus
StartTime,LastTime,Trans,Dur,AvgDur,SrcAddr,DstAddr,Proto,Sport,Dport,sTos,dTos,sTtl,dTtl,SrcBytes,DstBytes,SAppBytes,DAppBytes,SrcPkts,DstPkts,Src_bps,Dst_bps,Src_pps,Dst_pps,SrcLoss,DstLoss,SrcId,Flgs,SrcMac,DstMac,Dir,SrcJitter,DstJitter,State,srcUdata,dstUdata,SrcWin,DstWin,Seq,sMpls,dMpls,sVlan,dVlan,sIpId,dIpId
1151432428.834986,1151433529.662031,1,1100.827045,1100.827026,142.58.250.27,142.58.249.237,udp,2049,800,,0,,64,4521068,3178714,2499724,2259220,20760,19989,32855.793,23100.553,18.859,18.158,0,0,229.97.122.203,
v      
,0:2:b3:d8:98:6e,0:11:88:5:5d:1d,<->,,,CON,s[16]="fx..............",d[16]="gx..............",,,14,,,0x8200,0x8200,,0x0000
1151432428.835259,1151432550.587752,1,121.752493,121.752495,142.58.64.150,216.239.57.104,tcp,4074,80,0,,128,,5227,0,3835,0,24,0,343.451,0.000,0.197,0.000,0,0,229.97.122.203,
v       ,0:13:ce:6:e2:bf,0:11:88:5:5d:1d,?>,,16163523.00,FIN,s[16]="GET
/pagead/imga",,17520,0,8695,,,0x0286,,0xa4ef,
1151432430.103319,1151433529.662021,1,1099.558702,1099.558716,142.58.249.237,142.58.250.27,udp,800,2049,,0,,63,3176652,4518840,2257756,2498140,19976,20746,23112.195,32877.480,18.167,18.868,0,0,229.97.122.203,
v       ,0:11:88:5:5d:1d,0:2:b3:d8:98:6e,<->,,,CON,s[16]="px..............",d[16]="px..............",,,1,,,0x8200,0x8200,,0xb9c4

	but it still seems to have other problems (possibly related to the 
same thing, I don't know yet). In this case it is omitting ttl and tos when
it shouldn't be it looks like:

line: 7 fields in error: sttl,dir,stos,
1151432428.834980,1151432968.849102,1,540.014122,540.014122,142.58.206.16,142.58
.202.108,tcp,524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
,1493083,63258140.20,1350202.38,5584.49,2764.90,0.0007,0.0000,3848370891,qs,0:f:
1f:f8:c4:c1,0:11:88:5:5d:1d,?>,1278.000000,3716.553425,CON,s[16]=".Y....&!..:KLJ
j(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9
1151432428.834980,1151432968.849102,1,540.014122,540.014099,142.58.206.16,142.58
.202.108,tcp,524,1434,,0,,128,4270036130,91141044,4095125356,4541942,3015703,149
3083,63258144.000,1350202.375,5584.489,2764.896,0,0,229.97.122.203, vs      ,0:f
:1f:f8:c4:c1,0:11:88:5:5d:1d,<?>,1278.000000,3716.47,CON,s[16]=".Y....&!..:KLJj(
",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,,0xfee9

	This is the first few error records with ra3.new (with the bzero of 
the entire buffer):

%./ra_test.pl rs178.2.argus | more
sport 255 gbl
dport 255 gbl

line: 4 fields in error: dport,sport,
1151432428.829164,1151432428.829164,1,0.000000,0.000000,0:4:0:87:f5:6,ff:ff:ff:f
f:ff:ff,llc,255,255,,,,,114,0,96,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,38483708
91,q,0:4:0:87:f5:6,ff:ff:ff:ff:ff:ff,->,,,INT,s[16]="...`............",,,,8676,,
,0x8200,,
1151432428.829164,1151432428.829164,1,0.000000,0.000000,0:4:0:87:f5:6,ff:ff:ff:f
f:ff:ff,llc,gbl,gbl,,,,,114,0,96,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.20
3, v       ,0:4:0:87:f5:6,ff:ff:ff:ff:ff:ff,->,,,INT,s[16]="...`............",,,
,8676,,,0x8200,,,

line: 7 fields in error: dir,
1151432428.834980,1151432968.849102,1,540.014122,540.014122,142.58.206.16,142.58
.202.108,tcp,524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
,1493083,63258140.20,1350202.38,5584.49,2764.90,0.0007,0.0000,3848370891,qs,0:f:
1f:f8:c4:c1,0:11:88:5:5d:1d,?>,1278.000000,3716.553425,CON,s[16]=".Y....&!..:KLJ
j(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9
1151432428.834980,1151432968.849102,1,540.014122,540.014099,142.58.206.16,142.58
.202.108,tcp,524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
,1493083,63258144.000,1350202.375,5584.489,2764.896,0,0,229.97.122.203, vs      
,0:f:1f:f8:c4:c1,0:11:88:5:5d:1d,<?>,1278.000000,3716.47,CON,s[16]=".Y....&!..:K
LJj(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9,0xfee9

sloss 139.0000 0 

line: 15 fields in error: proto,sloss,
1151432428.835508,1151432946.117999,1,517.282491,517.282491,142.58.205.8,24.85.1
38.30,rtp,16386,41238,0,0,64,0,2500442,0,1317184,0,25723,0,38670.43,0.00,49.73,0
.00,139.0000,0.0000,3848370891,q,0:16:cb:85:6b:be,0:11:88:5:5d:1d,->,16300.00000
0,,INT,s[16]="......w..0......",,,,8551,,,0x0200,,0x82df
1151432428.835508,1151432946.117999,1,517.282491,517.282471,142.58.205.8,24.85.1
38.30,udp,16386,41238,0,,64,,2500442,0,1317184,0,25723,0,38670.430,0.000,49.727,
0.000,0,0,229.97.122.203, v       ,0:16:cb:85:6b:be,0:11:88:5:5d:1d,->,16300.000
000,,INT,s[16]="......w..0......",,,,8551,,,0x0200,,0x82df,

	this is the same thing with ra3 from rc.21:

./ra_test.pl rs178.2.argus | more
sport 255 gbl
dport 255 gbl

line: 4 fields in error: dport,sport,
1151432428.829164,1151432428.829164,1,0.000000,0.000000,0:4:0:87:f5:6,ff:ff:ff:f
f:ff:ff,llc,255,255,,,,,114,0,96,0,1,0,0.00,0.00,inf,0.00,0.0000,0.0000,38483708
91,q,0:4:0:87:f5:6,ff:ff:ff:ff:ff:ff,->,,,INT,s[16]="...`............",,,,8676,,
,0x8200,,
1151432428.829164,1151432428.829164,1,0.000000,0.000000,0:4:0:87:f5:6,ff:ff:ff:f
f:ff:ff,llc,gbl,gbl,,,,,114,0,96,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.20
3, v       ,0:4:0:87:f5:6,ff:ff:ff:ff:ff:ff,->,,,INT,s[16]="...`............",,,
,8676,,,0x8200,,,

line: 7 fields in error: sttl,dir,stos,
1151432428.834980,1151432968.849102,1,540.014122,540.014122,142.58.206.16,142.58
.202.108,tcp,524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
,1493083,63258140.20,1350202.38,5584.49,2764.90,0.0007,0.0000,3848370891,qs,0:f:
1f:f8:c4:c1,0:11:88:5:5d:1d,?>,1278.000000,3716.553425,CON,s[16]=".Y....&!..:KLJ
j(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9
1151432428.834980,1151432968.849102,1,540.014122,540.014099,142.58.206.16,142.58
.202.108,tcp,524,1434,,0,,128,4270036130,91141044,4095125356,4541942,3015703,149
3083,63258144.000,1350202.375,5584.489,2764.896,0,0,229.97.122.203, vs      ,0:f
:1f:f8:c4:c1,0:11:88:5:5d:1d,<?>,1278.000000,3716.47,CON,s[16]=".Y....&!..:KLJj(
",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,,0xfee9

line: 8 fields in error: sttl,stos,
1151432428.834986,1151433529.662031,1,1100.827045,1100.827045,142.58.250.27,142.
58.249.237,udp,2049,800,0,0,64,64,4521068,3178714,2499724,2259220,20760,19989,32
855.79,23100.55,18.86,18.16,0.0000,0.0000,3848370891,q,0:2:b3:d8:98:6e,0:11:88:5
:5d:1d,<->,,,CON,s[16]="fx..............",d[16]="gx..............",,,14,,,0x8200
,0x8200,0x0000
1151432428.834986,1151433529.662031,1,1100.827045,1100.827026,142.58.250.27,142.
58.249.237,udp,2049,800,,0,,64,4521068,3178714,2499724,2259220,20760,19989,32855
.793,23100.553,18.859,18.158,0,0,229.97.122.203, v       ,0:2:b3:d8:98:6e,0:11:8
8:5:5d:1d,<->,,,CON,s[16]="fx..............",d[16]="gx..............",,,14,,,0x8
200,0x8200,,0x0000

sloss 139.0000 0 

line: 15 fields in error: proto,sloss,
1151432428.835508,1151432946.117999,1,517.282491,517.282491,142.58.205.8,24.85.1
38.30,rtp,16386,41238,0,0,64,0,2500442,0,1317184,0,25723,0,38670.43,0.00,49.73,0
.00,139.0000,0.0000,3848370891,q,0:16:cb:85:6b:be,0:11:88:5:5d:1d,->,16300.00000
0,,INT,s[16]="......w..0......",,,,8551,,,0x0200,,0x82df
1151432428.835508,1151432946.117999,1,517.282491,517.282471,142.58.205.8,24.85.1
38.30,udp,16386,41238,0,,64,,2500442,0,1317184,0,25723,0,38670.430,0.000,49.727,
0.000,0,0,229.97.122.203, v       ,0:16:cb:85:6b:be,0:11:88:5:5d:1d,->,16300.000
000,,INT,s[16]="......w..0......",,,,8551,,,0x0200,,0x82df,

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

Re: argus-clients-3.0.0.rc.21

The missing labels and possibly data is the side effect of me trying  
to solve
another problem, so I have broken somethings that need to be fixed,  
hopefully
quickly.   I tried to remove the sprintf(&buf[strlen(buf)],   
references, which
were causing other problems, like bad performance, and I need to fix  
them.

If you could tell me what fields are missing from your complete list,  
I'll try
to get a new version out tonight.

Carter

On Aug 1, 2006, at 11:44 AM, Peter Van Epp wrote:

> 	Well rc.21 indeed fixes the tos problem:
>
> %ra3 -Fra3.conf.full -r badtcp2.argus
> StartTime,LastTime,Trans,Dur,AvgDur,SrcAddr,DstAddr,Proto,Sport,Dport, 
> sTos,dTos,sTtl,dTtl,SrcBytes,DstBytes,SAppBytes,DAppBytes,SrcPkts,DstP 
> kts,Src_bps,Dst_bps,Src_pps,Dst_pps,SrcLoss,DstLoss,SrcId,Flgs,SrcMac, 
> DstMac,Dir,SrcJitter,DstJitter,State,srcUdata,dstUdata,SrcWin,DstWin,S 
> eq,sMpls,dMpls,sVlan,dVlan,sIpId,dIpId
> 1151432428.834986,1151433529.662031,1,1100.827045,1100.827026,142.58.2 
> 50.27,142.58.249.237,udp, 
> 2049,800,,0,,64,4521068,3178714,2499724,2259220,20760,19989,32855.793, 
> 23100.553,18.859,18.158,0,0,229.97.122.203, v       , 
> 0:2:b3:d8:98:6e,0:11:88:5:5d:1d,<->,,,CON,s[16]="fx..............",d 
> [16]="gx..............",,,14,,,0x8200,0x8200,,0x0000
> 1151432428.835259,1151432550.587752,1,121.752493,121.752495,142.58.64. 
> 150,216.239.57.104,tcp, 
> 4074,80,0,,128,,5227,0,3835,0,24,0,343.451,0.000,0.197,0.000,0,0,229.9 
> 7.122.203, v       ,0:13:ce:6:e2:bf,0:11:88:5:5d:1d,?>,, 
> 16163523.00,FIN,s[16]="GET /pagead/imga",, 
> 17520,0,8695,,,0x0286,,0xa4ef,
> 1151432430.103319,1151433529.662021,1,1099.558702,1099.558716,142.58.2 
> 49.237,142.58.250.27,udp, 
> 800,2049,,0,,63,3176652,4518840,2257756,2498140,19976,20746,23112.195, 
> 32877.480,18.167,18.868,0,0,229.97.122.203, v       ,0:11:88:5:5d: 
> 1d,0:2:b3:d8:98:6e,<->,,,CON,s[16]="px..............",d[16] 
> ="px..............",,,1,,,0x8200,0x8200,,0xb9c4
>
> 	but it still seems to have other problems (possibly related to the
> same thing, I don't know yet). In this case it is omitting ttl and  
> tos when
> it shouldn't be it looks like:
>
> line: 7 fields in error: sttl,dir,stos,
> 1151432428.834980,1151432968.849102,1,540.014122,540.014122,142.58.206 
> .16,142.58
> .202.108,tcp, 
> 524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
> , 
> 1493083,63258140.20,1350202.38,5584.49,2764.90,0.0007,0.0000,384837089 
> 1,qs,0:f:
> 1f:f8:c4:c1,0:11:88:5:5d:1d,?>,1278.000000,3716.553425,CON,s[16] 
> =".Y....&!..:KLJ
> j(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9
> 1151432428.834980,1151432968.849102,1,540.014122,540.014099,142.58.206 
> .16,142.58
> .202.108,tcp, 
> 524,1434,,0,,128,4270036130,91141044,4095125356,4541942,3015703,149
> 3083,63258144.000,1350202.375,5584.489,2764.896,0,0,229.97.122.203,  
> vs      ,0:f
> :1f:f8:c4:c1,0:11:88:5:5d:1d,<?>,1278.000000,3716.47,CON,s[16] 
> =".Y....&!..:KLJj(
> ",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,,0xfee9
>
> 	This is the first few error records with ra3.new (with the bzero of
> the entire buffer):
>
> %./ra_test.pl rs178.2.argus | more
> sport 255 gbl
> dport 255 gbl
>
> line: 4 fields in error: dport,sport,
> 1151432428.829164,1151432428.829164,1,0.000000,0.000000,0:4:0:87:f5:6, 
> ff:ff:ff:f
> f:ff:ff,llc,255,255,,,,,114,0,96,0,1,0,0.00,0.00,inf, 
> 0.00,0.0000,0.0000,38483708
> 91,q,0:4:0:87:f5:6,ff:ff:ff:ff:ff:ff,->,,,INT,s[16] 
> ="...`............",,,,8676,,
> ,0x8200,,
> 1151432428.829164,1151432428.829164,1,0.000000,0.000000,0:4:0:87:f5:6, 
> ff:ff:ff:f
> f:ff:ff,llc,gbl,gbl,,,,, 
> 114,0,96,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.20
> 3, v       ,0:4:0:87:f5:6,ff:ff:ff:ff:ff:ff,->,,,INT,s[16] 
> ="...`............",,,
> ,8676,,,0x8200,,,
>
>
> line: 7 fields in error: dir,
> 1151432428.834980,1151432968.849102,1,540.014122,540.014122,142.58.206 
> .16,142.58
> .202.108,tcp, 
> 524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
> , 
> 1493083,63258140.20,1350202.38,5584.49,2764.90,0.0007,0.0000,384837089 
> 1,qs,0:f:
> 1f:f8:c4:c1,0:11:88:5:5d:1d,?>,1278.000000,3716.553425,CON,s[16] 
> =".Y....&!..:KLJ
> j(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9
> 1151432428.834980,1151432968.849102,1,540.014122,540.014099,142.58.206 
> .16,142.58
> .202.108,tcp, 
> 524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
> , 
> 1493083,63258144.000,1350202.375,5584.489,2764.896,0,0,229.97.122.203, 
>  vs
> ,0:f:1f:f8:c4:c1,0:11:88:5:5d:1d,<?>,1278.000000,3716.47,CON,s[16] 
> =".Y....&!..:K
> LJj(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca, 
> 0xfee9,0xfee9
>
> sloss 139.0000 0
>
> line: 15 fields in error: proto,sloss,
> 1151432428.835508,1151432946.117999,1,517.282491,517.282491,142.58.205 
> .8,24.85.1
> 38.30,rtp, 
> 16386,41238,0,0,64,0,2500442,0,1317184,0,25723,0,38670.43,0.00,49.73,0
> .00,139.0000,0.0000,3848370891,q,0:16:cb:85:6b:be,0:11:88:5:5d:1d,- 
> >,16300.00000
> 0,,INT,s[16]="......w..0......",,,,8551,,,0x0200,,0x82df
> 1151432428.835508,1151432946.117999,1,517.282491,517.282471,142.58.205 
> .8,24.85.1
> 38.30,udp, 
> 16386,41238,0,,64,,2500442,0,1317184,0,25723,0,38670.430,0.000,49.727,
> 0.000,0,0,229.97.122.203, v       ,0:16:cb:85:6b:be,0:11:88:5:5d: 
> 1d,->,16300.000
> 000,,INT,s[16]="......w..0......",,,,8551,,,0x0200,,0x82df,
>
> 	this is the same thing with ra3 from rc.21:
>
> ./ra_test.pl rs178.2.argus | more
> sport 255 gbl
> dport 255 gbl
>
> line: 4 fields in error: dport,sport,
> 1151432428.829164,1151432428.829164,1,0.000000,0.000000,0:4:0:87:f5:6, 
> ff:ff:ff:f
> f:ff:ff,llc,255,255,,,,,114,0,96,0,1,0,0.00,0.00,inf, 
> 0.00,0.0000,0.0000,38483708
> 91,q,0:4:0:87:f5:6,ff:ff:ff:ff:ff:ff,->,,,INT,s[16] 
> ="...`............",,,,8676,,
> ,0x8200,,
> 1151432428.829164,1151432428.829164,1,0.000000,0.000000,0:4:0:87:f5:6, 
> ff:ff:ff:f
> f:ff:ff,llc,gbl,gbl,,,,, 
> 114,0,96,0,1,0,0.000,0.000,0.000,0.000,0,0,229.97.122.20
> 3, v       ,0:4:0:87:f5:6,ff:ff:ff:ff:ff:ff,->,,,INT,s[16] 
> ="...`............",,,
> ,8676,,,0x8200,,,
>
>
> line: 7 fields in error: sttl,dir,stos,
> 1151432428.834980,1151432968.849102,1,540.014122,540.014122,142.58.206 
> .16,142.58
> .202.108,tcp, 
> 524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
> , 
> 1493083,63258140.20,1350202.38,5584.49,2764.90,0.0007,0.0000,384837089 
> 1,qs,0:f:
> 1f:f8:c4:c1,0:11:88:5:5d:1d,?>,1278.000000,3716.553425,CON,s[16] 
> =".Y....&!..:KLJ
> j(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9
> 1151432428.834980,1151432968.849102,1,540.014122,540.014099,142.58.206 
> .16,142.58
> .202.108,tcp, 
> 524,1434,,0,,128,4270036130,91141044,4095125356,4541942,3015703,149
> 3083,63258144.000,1350202.375,5584.489,2764.896,0,0,229.97.122.203,  
> vs      ,0:f
> :1f:f8:c4:c1,0:11:88:5:5d:1d,<?>,1278.000000,3716.47,CON,s[16] 
> =".Y....&!..:KLJj(
> ",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,,0xfee9
>
>
> line: 8 fields in error: sttl,stos,
> 1151432428.834986,1151433529.662031,1,1100.827045,1100.827045,142.58.2 
> 50.27,142.
> 58.249.237,udp, 
> 2049,800,0,0,64,64,4521068,3178714,2499724,2259220,20760,19989,32
> 855.79,23100.55,18.86,18.16,0.0000,0.0000,3848370891,q, 
> 0:2:b3:d8:98:6e,0:11:88:5
> :5d:1d,<->,,,CON,s[16]="fx..............",d[16] 
> ="gx..............",,,14,,,0x8200
> ,0x8200,0x0000
> 1151432428.834986,1151433529.662031,1,1100.827045,1100.827026,142.58.2 
> 50.27,142.
> 58.249.237,udp, 
> 2049,800,,0,,64,4521068,3178714,2499724,2259220,20760,19989,32855
> .793,23100.553,18.859,18.158,0,0,229.97.122.203, v       , 
> 0:2:b3:d8:98:6e,0:11:8
> 8:5:5d:1d,<->,,,CON,s[16]="fx..............",d[16] 
> ="gx..............",,,14,,,0x8
> 200,0x8200,,0x0000
>
> sloss 139.0000 0
>
> line: 15 fields in error: proto,sloss,
> 1151432428.835508,1151432946.117999,1,517.282491,517.282491,142.58.205 
> .8,24.85.1
> 38.30,rtp, 
> 16386,41238,0,0,64,0,2500442,0,1317184,0,25723,0,38670.43,0.00,49.73,0
> .00,139.0000,0.0000,3848370891,q,0:16:cb:85:6b:be,0:11:88:5:5d:1d,- 
> >,16300.00000
> 0,,INT,s[16]="......w..0......",,,,8551,,,0x0200,,0x82df
> 1151432428.835508,1151432946.117999,1,517.282491,517.282471,142.58.205 
> .8,24.85.1
> 38.30,udp, 
> 16386,41238,0,,64,,2500442,0,1317184,0,25723,0,38670.430,0.000,49.727,
> 0.000,0,0,229.97.122.203, v       ,0:16:cb:85:6b:be,0:11:88:5:5d: 
> 1d,->,16300.000
> 000,,INT,s[16]="......w..0......",,,,8551,,,0x0200,,0x82df,
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>

Re: argus-clients-3.0.0.rc.21

On Tue, Aug 01, 2006 at 11:28:10PM -0400, Carter Bullard wrote:
> Hey Peter,
> So I just uploaded new argus and client rc files.
> Give em a try, should fix a few things.
> Carter
> 

	Indeed much closer   The fragmentation flag doesn't look like its
getting across correctly, esp has problems and igmp looks to still have 
problems but no more tos/ttl etc. problems so far .

sport 0
dport 0
flgs2 = F
flgs32 =

line: 63 fields in error: dport,proto,flgs,sport,
1151432428.855532,1151433529.671900,1,1100.816368,1100.816368,142.58.29.58,142.5
8.135.65,ipni,0,0,255,255,255,255,17531159,3131651,2956740,2631957,29411,12445,1
27404.78,22758.75,26.72,11.31,0.0000,0.0000,3848370891,qF,0:11:88:21:f1:80,0:11:
88:5:5d:1d,<->,28888.102963,,CON,s[16]="%...........#\..",d[16]="%.............]
.",,,8651,,,0xc087,0x027f,0x0000
1151432428.855532,1151433529.671900,1,1100.816368,1100.816406,142.58.29.58,142.5
8.135.65,ipnip,,,255,255,255,255,17531159,3131651,2956740,2631957,29411,12445,12
7404.781,22758.752,26.717,11.305,0,0,229.97.122.203, v       ,0:11:88:21:f1:80,0
:11:88:5:5d:1d,<->,28886.744474,,CON,s[16]="%...........#\..",d[16]="%..........
...].",,,8651,,,0xc087,0x027f,0x0000,0x0000

	esp too (look like bugs in both 2.0.6 and 3.0 so may be underlying 
data)

sport 0
dport 48106 2079308778

line: 203 fields in error: dport,sport,
1151432428.949492,1151433528.697986,1,1099.748494,1099.748494,142.58.213.62,208.
38.3.62,esp,0,48106,0,0,64,0,1185980,0,961248,0,5914,0,8627.28,0.00,5.38,0.00,0.
0000,0.0000,3848370891,q,0:10:db:73:dd:51,0:11:88:5:5d:1d,->,759527.000000,,INT,
s[16]="...@!.....G...K.",,,,9297,,,0x8200,,0x7bef
1151432428.949492,1151433528.697986,1,1099.748494,1099.748535,142.58.213.62,208.
38.3.62,esp,,2079308778,0,,64,,1185980,0,961248,0,5914,0,8627.281,0.000,5.378,0.
000,0,0,229.97.122.203, v       ,0:10:db:73:dd:51,0:11:88:5:5d:1d,->,759527.0000
00,,INT,s[16]="...@!.....G...K.",,,,9297,,,0x8200,,0x7bef,

	The ports look to be a 2.0.6 bug but ipid may be an endian issue.

sport 22
dport 0
state CON INT
sipid 0xd21b 0x1bd2

line: 361 fields in error: state,dport,sipid,sport,
1151432429.126443,1151432860.570563,1,431.444120,431.444120,142.58.60.61,224.0.0
.251,igmp,22,0,0,0,1,0,100,0,16,0,2,0,1.85,0.00,0.00,0.00,0.0000,0.0000,38483708
91,q,0:11:24:97:47:52,1:0:5e:0:0:fb,->,,,CON,s[8]="........",,,,8856,,,0x0280,,0
xd21b
1151432429.126443,1151432860.570563,1,431.444120,431.444122,142.58.60.61,224.0.0
.251,igmp,,,0,,1,,100,0,16,0,2,0,1.854,0.000,0.005,0.000,0,0,229.97.122.203, v
     ,0:11:24:97:47:52,1:0:5e:0:0:fb,->,,,INT,s[8]="........",,,,8856,,,0x0280,,
0x1bd2,

%./ra_test.pl rs178.2.argus | more

line: 7 fields in error: dir,
1151432428.834980,1151432968.849102,1,540.014122,540.014122,142.58.206.16,142.58
.202.108,tcp,524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
,1493083,63258140.20,1350202.38,5584.49,2764.90,0.0007,0.0000,3848370891,qs,0:f:
1f:f8:c4:c1,0:11:88:5:5d:1d,?>,1278.000000,3716.553425,CON,s[16]=".Y....&!..:KLJ
j(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9
1151432428.834980,1151432968.849102,1,540.014122,540.014099,142.58.206.16,142.58
.202.108,tcp,524,1434,0,0,128,128,4270036130,91141044,4095125356,4541942,3015703
,1493083,63258144.000,1350202.375,5584.489,2764.896,0,0,229.97.122.203, vs
,0:f:1f:f8:c4:c1,0:11:88:5:5d:1d,<?>,1278.000000,3716.47,CON,s[16]=".Y....&!..:K
LJj(",d[16]="DmdT...1........",21344,17520,8541,,,0x80ce,0x80ca,0xfee9,0xfee9

sloss 139.0000 0

line: 15 fields in error: proto,sloss,
1151432428.835508,1151432946.117999,1,517.282491,517.282491,142.58.205.8,24.85.1
38.30,rtp,16386,41238,0,0,64,0,2500442,0,1317184,0,25723,0,38670.43,0.00,49.73,0
.00,139.0000,0.0000,3848370891,q,0:16:cb:85:6b:be,0:11:88:5:5d:1d,->,16300.00000
0,,INT,s[16]="......w..0......",,,,8551,,,0x0200,,0x82df
1151432428.835508,1151432946.117999,1,517.282491,517.282471,142.58.205.8,24.85.1
38.30,udp,16386,41238,0,,64,,2500442,0,1317184,0,25723,0,38670.430,0.000,49.727,
0.000,0,0,229.97.122.203, v       ,0:16:cb:85:6b:be,0:11:88:5:5d:1d,->,16300.000
000,,INT,s[16]="......w..0......",,,,8551,,,0x0200,,0x82df,

djit 563401.875345 561892.47

line: 23 fields in error: djit,dir,
1151432428.836459,1151433529.824857,1,1100.988398,1100.988398,142.58.155.79,142.
58.167.63,tcp,1030,445,0,0,255,255,7324703,34375869,3834611,30963787,60174,58829
,53222.74,249781.88,54.65,53.43,0.0299,0.0068,3848370891,q*,0:b:db:49:f6:39,0:11
:88:5:5d:1d,?>,31.787992,563401.875345,CON,s[16]="...;.SMB........",d[16]="...<.
SMB........",17520,16766,8549,,,0x0200,0x8200,0x93ab
1151432428.836459,1151433529.824857,1,1100.988398,1100.988403,142.58.155.79,142.
58.167.63,tcp,1030,445,0,0,255,255,7324703,34375869,3834611,30963787,60174,58829
,53222.742,249781.875,54.655,53.433,0,0,229.97.122.203, v*      ,0:b:db:49:f6:39
,0:11:88:5:5d:1d,<?>,31.541513,561892.47,CON,s[16]="...;.SMB........",d[16]="...
<.SMB........",17520,16766,8549,,,0x0200,0x8200,0x93ab,0x93ab

state TIM CON

line: 31 fields in error: state,dir,
1151432428.840442,1151433509.016300,1,1080.175858,1080.175858,142.58.235.103,142
.58.103.117,tcp,1660,445,0,0,128,0,580,0,0,0,10,0,4.30,0.00,0.01,0.00,0.0000,0.0
000,3848370891,q,0:14:22:56:d6:dd,0:11:88:5:5d:1d,<?>,,,TIM,,,0,0,756,,,0x8200,,
0xbdef
1151432428.840442,1151433509.016300,1,1080.175858,1080.175903,142.58.235.103,142
.58.103.117,tcp,1660,445,0,,128,,580,0,0,0,10,0,4.296,0.000,0.009,0.000,0,0,229.
97.122.203, v       ,0:14:22:56:d6:dd,0:11:88:5:5d:1d,?>,,,CON,,,0,0,756,,,0x820
0,,0xbdef,

sport 34
dport 0
state CON INT

line: 42 fields in error: state,dport,sport,
1151432428.847329,1151432439.757887,1,10.910558,10.910558,142.58.200.252,224.0.0
.22,igmp,34,0,192,0,1,0,174,0,48,0,3,0,127.58,0.00,0.27,0.00,0.0000,0.0000,38483
70891,q,0:e0:81:20:c3:4c,1:0:5e:0:0:16,->,,,CON,s[16]=""...............",,,,8887
,,,0x0200,,0x0000
1151432428.847329,1151432439.757887,1,10.910558,10.910558,142.58.200.252,224.0.0
.22,igmp,,,192,,1,,174,0,48,0,3,0,127.583,0.000,0.275,0.000,0,0,229.97.122.203,
v       ,0:e0:81:20:c3:4c,1:0:5e:0:0:16,->,,,INT,s[16]=""...............",,,,888
7,,,0x0200,,0x0000,

line: 52 fields in error: dir,
1151432428.851530,1151433240.526740,1,811.675210,811.675210,142.58.71.99,142.58.
217.166,tcp,49152,1935,0,0,255,255,79657946,6850292,71822216,9962,111939,97719,7
85121.39,67517.57,137.91,120.39,0.0036,0.0000,3848370891,qs,0:11:24:a8:11:b2,0:1
1:88:5:5d:1d,?>,5055.000000,33915.787004,CON,s[16]="K.....h.".......",d[16]="...
...........%6",65535,34752,8586,,,0x0200,0x8288,0x8b92
1151432428.851530,1151433240.526740,1,811.675210,811.675232,142.58.71.99,142.58.
217.166,tcp,49152,1935,0,0,255,255,79657946,6850292,71822216,9962,111939,97719,7
85121.375,67517.562,137.911,120.392,0,0,229.97.122.203, vs      ,0:11:24:a8:11:b
2,0:11:88:5:5d:1d,<?>,5055.000000,33915.32,CON,s[16]="K.....h.".......",d[16]=".
.............%6",65535,34752,8586,,,0x0200,0x8288,0x8b92,0x8b92

sport 0
dport 0
flgs2 = F
flgs32 =

line: 63 fields in error: dport,proto,flgs,sport,
1151432428.855532,1151433529.671900,1,1100.816368,1100.816368,142.58.29.58,142.5
8.135.65,ipni,0,0,255,255,255,255,17531159,3131651,2956740,2631957,29411,12445,1
27404.78,22758.75,26.72,11.31,0.0000,0.0000,3848370891,qF,0:11:88:21:f1:80,0:11:
88:5:5d:1d,<->,28888.102963,,CON,s[16]="%...........#\..",d[16]="%.............]
.",,,8651,,,0xc087,0x027f,0x0000
1151432428.855532,1151433529.671900,1,1100.816368,1100.816406,142.58.29.58,142.5
8.135.65,ipnip,,,255,255,255,255,17531159,3131651,2956740,2631957,29411,12445,12
7404.781,22758.752,26.717,11.305,0,0,229.97.122.203, v       ,0:11:88:21:f1:80,0
:11:88:5:5d:1d,<->,28886.744474,,CON,s[16]="%...........#\..",d[16]="%..........
...].",,,8651,,,0xc087,0x027f,0x0000,0x0000

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada