My last email today, really!
Peter Van Epp
vanepp at sfu.ca
Wed Nov 14 15:05:02 EST 2001
>
> On Wed, Nov 14, 2001 at 12:37:42PM -0700, Wozz wrote:
> > I promise!
> >
> > Is there any way to specify an icmp echo reply in a flowfile rule? I don't see
> > anything in the documentation or source, but I want to make sure I'm not missing
> > something.
>
> Ok I lied, I forgot to ask another question I had. The documentation mentions
> argus writing status records with packet loss and such in them. How does one pick
> those out of the data stream, or are they logged elsewhere.
>
ra -r argus.file - man
will extract the man records (don't know about the flow file). Note the "drops"
being referred to are between the kernel/bpf interface and argus (i.e. if
the kernel presents a packet when the bpf buffer is full, the packet is lost
and the count incremented). If you are seeing these increasing the bpf buffer
size may help. You can also lose packets between the NIC and the kernel (below
bpf) which won't be reflected in that count. A netstat -i should give you those
stats (or at least may) probably called "underruns" (overruns would be in the
transmit direction which argus isn't doing) against the NIC card. That is
essentially the same deal, the card had a packet ready to transfer (probably
via dma) and there were no buffers available so it is discarded and the error
count is incremented.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list