new user needs help
Carter Bullard
carter at qosient.com
Thu Oct 18 11:48:19 EDT 2001
Hey Mike,
Well, you definitely aren't getting any packets.
You are running argus with "-i eth1", is that the
right interface? Try running argus without the -i
option to see if it gets any packets on other interfaces.
If you create a ".debug" file in the argus source
you can enable debug reporting in all argus programs.
% cd argus.root
% touch .debug
% ./configure
% make clean
% make
the new binaries will printout debug statements when
you add the "-d level" option to the command line.
That will be our next step if we can't find any packets
anywhere.
Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York 10022
carter at qosient.com
Phone +1 212 588-9133
Fax +1 212 588-9134
http://qosient.com
> -----Original Message-----
> From: Michael Anderson [mailto:mca at arlut.utexas.edu]
> Sent: Thursday, October 18, 2001 11:44 AM
> To: carter at qosient.com
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: new user needs help
>
>
> Hey Carter,
> Thanks for replying. Ok, I ran tcpdump on the interface and
> it is definately capturing packets. Snort is also running on
> the interface and is capturing packets and generating alerts.
> I am using ra -rn to read the output file. The output looks
> like this:
> 18 Oct 01 09:44:13 man version=2.0 probeid=10.6.1.17
> STA
> 18 Oct 01 09:44:13 man pkts 0 bytes 0
> drops 0
> CON
> 18 Oct 01 09:49:13 man pkts 0 bytes 0
> drops 0
> CON
> 18 Oct 01 09:54:13 man pkts 0 bytes 0
> drops 0
> CON
> 18 Oct 01 09:59:13 man pkts 0 bytes 0
> drops 0
> CON
> 18 Oct 01 10:04:13 man pkts 0 bytes 0
> drops 0
> CON
> 18 Oct 01 10:09:13 man pkts 0 bytes 0
> drops 0
> CON
> 18 Oct 01 10:14:13 man pkts 0 bytes 0
> drops 0
> CON
> 18 Oct 01 10:19:13 man pkts 0 bytes 0
> drops 0
> CON
> 18 Oct 01 10:24:13 man pkts 0 bytes 0
> drops 0
> CON
>
> I don't think its a horsepower problem. The machine I'm
> running all of these tools on is a dual PIII 800 MHZ with Red Hat 7.1.
>
> Thanks,
> Mike
>
> Carter Bullard wrote:
>
> > Hey Mike,
> > Hmmm, well there are a number of possibilities, but
> > first a few stupid questions. How does the file indicate
> that there
> > are no connections? It may take a seconds before the file has any
> > data in it, depending on the how the system flushes pages and how
> > argus is configured. You may not get any flow records
> generated for 30
> > seconds with your -S 30 option, so you may just need to be patient.
> >
> > The best test is to run tcpdump on the interface, to
> > see that there really are packets coming from that interface.
> > Depending on the system, you can have any number of libpcap based
> > packet readers on a single interface, but if you don't have the
> > horsepower, you may drop packets.
> >
> > Check that there really are packets on the interface
> > and if so, wait a few minutes, and then see if there is
> anything being
> > collected. If not, then there are a few other things to do.
> >
> > Carter
> >
> > Carter Bullard
> > QoSient, LLC
> > 300 E. 56th Street, Suite 18K
> > New York, New York 10022
> >
> > carter at qosient.com
> > Phone +1 212 588-9133
> > Fax +1 212 588-9134
> > http://qosient.com
> >
> > > -----Original Message-----
> > I am a new argus user. I have built and installed argus 2.0.3. I
> > then started argus as: argus -d -e `hostname` -i eth1 -U128
> -mRS 30 -w
> > /var/log/argus/argus.out. It seems to start up OK and the
> output file
> > is generated. However, the data in the file indicates that argus is
> > not seeing any connections. I'm running snort on the same
> interface.
> > Can I have only 1 packet capture utility on the interface
> at a time?
> > Any ideas as to why argus is not seeing any data.
> >
> > Thanks,
> > Mike
>
>
More information about the argus
mailing list