<div dir="ltr">Hello Community,<div><br></div><div>This is the cap file.</div><div><br></div><div>Sorry for the low resol picture</div><div><br></div><div>Thank you very much in advanced.</div><div><br></div><div>Regards,</div><div>Alan</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, May 8, 2015 at 5:37 AM, PÁSZTOR György <span dir="ltr"><<a href="mailto:pasztor@linux.gyakg.u-szeged.hu" target="_blank">pasztor@linux.gyakg.u-szeged.hu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<span class=""><br>
"Sandor Geller" <<a href="mailto:sandor.geller@ericsson.com">sandor.geller@ericsson.com</a>> írta 2015-05-08 09:32-kor:<br>
> Wow, it was really 'low resolution'. Zooming in showed that there isn't<br>
> any kind of UDP packet fragmentation happening (not surprising, the<br>
<br>
</span>That's what, why I asked a pcap file.<br>
It would required smaller attached file, and would gave us more info.<br>
I found a new theory, based on: 1 pic ~= 1 Mword<br>
1 pcap ~= 1000 pic!<br>
<span class=""><br>
> kernel would reassembele fragments transparently to syslog-ng) but the<br>
> sender device actually splits the logs into multiple packets so<br>
> syslog-ng does exactly what it should do. Yet another broken syslog<br>
> implementation on Cisco's side :(<br>
<br>
</span>As basically all of their syslog implementation.<br>
<span class=""><br>
> I'm not aware of how such logs could get concatenated without writing an<br>
> app which postprocesses the logs.<br>
<br>
</span>That's another thing, I asked a pcap file. I gave up.<br>
Maybe there is a chance to do that with some patterndb magic, where we can<br>
"process" and "correlate", etc.<br>
<br>
Kind regards,<br>
Gyu<br>
<div class="HOEnZb"><div class="h5">______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</div></div></blockquote></div><br></div>