running argus on linux with 'unnumbered' interface

Carter Bullard carter at qosient.com
Mon May 7 08:31:34 EDT 2001 

Hey Russell,
   I've run argus on unnumbered interfaces before and
have never had a problem, until recently with newer
Linux kernels, like 2.4.4.  The error messages that your
are getting from ArgusInitSource() are all errors from
either pcap_open_live(), pcap_compile() or pcap_setfilter().
I suspect that your "ArgusInitSource: SIOCGIFADDR:
eth1: Cannot assign requested address", is a
pcap_open_live() error.

   I'm not sure why, but Linux seems to be unhappy.
One way around it is to assign unroutable addresses as
your interface address, such as 0.0.0.1 to eth1, and
0.0.0.2 to eth2.  This strategy still provides some
protection, however not as good as no address.

   The best solution is to try to find out what happened
to cause Linux to start doing this.  I'll send some
mail to the tcpdump-workers mailing list to see if they
have any ideas.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com


> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu]On Behalf Of Russell
> Fulton
> Sent: Monday, May 07, 2001 1:11 AM
> To: argus-info at lists.andrew.cmu.edu
> Subject: running argus on linux with 'unnumbered' interface
> 
> 
> Hi,
> 	I am experimenting with setting up a passive monitoring 
> interface using linux (debian potato if it matters).  I have set up 
> ipchain rules so no traffic can pass in or out the interface 
> (this does 
> not appear to affect libpcap captures btw) and was wondering if there 
> is any way of starting argus on an interface that does not have an IP 
> address configured.
> 
> hihi:~# ifconfig
> eth0      Link encap:Ethernet  HWaddr 00:06:29:AF:00:A8  
>           inet addr:130.216.1.228  Bcast:130.216.1.255  
> Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:182 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:56 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:23 txqueuelen:100 
>           Interrupt:11 Base address:0xec00 
> 
> eth1      Link encap:Ethernet  HWaddr 00:10:C6:07:03:78  
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:13 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100 
>           Interrupt:12 Base address:0xe400 
> 
> lo        Link encap:Local Loopback  
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           UP LOOPBACK RUNNING  MTU:3924  Metric:1
>           RX packets:6 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0 
> 
> hihi:~# ~argus/bin/argus_linux -i eth1
> argus_linux[284]: ArgusInitSource: SIOCGIFADDR: eth1: Cannot assign 
> requested address
> 
> I seen to have been able to start netramet (which also uses 
> libpcap) in 
> an interface with no IP, however I have not tested this extentively.
> 
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20010507/b2cc28b4/attachment.html>

More information about the argus mailing list