FreeBSD problems (or I am terribly clueless)

Carter Bullard carter at qosient.com
Thu Jan 18 08:58:08 EST 2001 

Hey Borja,
   If the argus.log file is growing then there is
data to be read ;o)

Three things to try.

First is make sure that the ra that you are using
is ra-2.0.  Just run ra -h and see what version
it reports.  ra-1.8 cannot read argus-2.0 data.

Second turn off name lookups with -n.  The delay in
looking up a name may be getting in the way.

   ra -nr argus.log

Third is that argus.log may need to removed so
that argus can write a clean output log.  There
may be a situation where argus is writing into
a Argus-1.8 data file.  The two header formats
are not compatible, so ra may have trouble with
that.  With still argus running just:

   mv argus.log testfile

Argus will recreate argus.log when new data is
ready to be written.  When the argus.log reappears,
then try to read from it.

Hope this helps, if you are still having problems
with the new argus.log file, send a copy to me and
I'll debug the problem.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 813-9426
Fax   +1 212 813-9426


> -----Original Message-----
> From: owner-argus at lists.andrew.cmu.edu
> [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Borja Marcos
> Sent: Thursday, January 18, 2001 6:27 AM
> To: argus at lists.andrew.cmu.edu
> Subject: FreeBSD problems (or I am terribly clueless)
> 
> 
> 
> 	Hello,
> 
> 	I am trying to get argus-2.0.0Q running. I have been a long
> time user of the previous Argus program.
> 
> 	In a network with a lot of traffic, I start Argus
> by writing to a file (argus -i tl0 -w argus.log) and when
> I read the file with "ra -r argus.log" I get no output.
> 
> 	Am I missing anything? The network has traffic and the
> machine is receiving it; I've got a Snort process running in the
> same machine and it generates lots of alerts daily. 
> 
> % uname -a
> FreeBSD machine 4.2-BETA FreeBSD 4.2-BETA #0: Thu Nov  9 12:47:43 CET
> 2000     root@:/usr/src/sys/compile/MATAHARI  i386
> 
> 	I have enough bpf devices. In fact, the argus.log file
> grows fast.
> 
> -rw-r--r--  1 root  wheel  12669360 Jan 18 12:24 argus.log
> 
> 	I have configured simply with "./configure".
> 
> 
> 	I just don't understand it! 
> 
> 
> 	Regards,
> 
> 
> 
> 	Borja.
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010118/6c38b9f9/attachment.html>

More information about the argus mailing list