new user needs help

Carter Bullard carter at qosient.com
Thu Oct 18 11:33:37 EDT 2001


Hey Mike,
   Hmmm, well there are a number of possibilities, but
first a few stupid questions.  How does the file indicate
that there are no connections?  It may take a seconds
before the file has any data in it, depending on the how
the system flushes pages and how argus is configured.
You may not get any flow records generated for 30 seconds
with your -S 30 option, so you may just need to be patient.

   The best test is to run tcpdump on the interface, to
see that there really are packets coming from that interface.
Depending on the system, you can have any number of
libpcap based packet readers on a single interface, but
if you don't have the horsepower, you may drop packets.

   Check that there really are packets on the interface
and if so, wait a few minutes, and then see if there is
anything being collected.  If not, then there are a few
other things to do.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
I am a new argus user.  I have built and installed argus 2.0.3.  I then
started argus as: argus -d -e `hostname` -i eth1 -U128 -mRS 30 -w
/var/log/argus/argus.out. It seems to start up OK and the output file is
generated. However, the data in the file indicates that argus is not
seeing any connections.  I'm running snort on the same interface.  Can I
have only 1 packet capture utility on the interface at a time?  Any
ideas as to why argus is not seeing any data.

Thanks,
Mike



More information about the argus mailing list