new user needs help

Michael Anderson mca at arlut.utexas.edu
Thu Oct 18 12:14:01 EDT 2001 

Hey Carter,
I tried running argus without -i and it does not see any packets on the
default interface.  I definately want eth1 though.  I should also note that
eth1 is up and in promiscuous mode but it does not have an ip address
assigned to it.  I added in debug reporting and reran argus with -D 8.
Argus goes through initialization steps and then I get the following
statements printed out over and over again (not necessarily in the same
order every time) until I terminate argus:
argus[28402]: 1003420383 ArgusWriteOutSocket(0x40016da0): queue empty
argus[28402]: 1003420383 ArgusWriteOutSocket (0x8159090) 0 records waiting.
returning 0
argus[28402]: 1003420383 ArgusHandleData(0x0, 0) returning 0
argus[28402]: 1003420384 ArgusUpdateTime () returning 0
argus[28401]: 1003420384 ArgusUpdateTime () returning 1
argus[28401]: 1003420384 ArgusProcessQueue (0x81443b8, 4) returning
argus[28401]: 1003420384 ArgusSystemTimeout () returning
argus[28403]: 1003420384 ArgusUpdateTime () returning 0
argus[28402]: 1003420384 ArgusUpdateTime () returning 1

Thanks,
Mike

Carter Bullard wrote:

> Hey Mike,
>    Well, you definitely aren't getting any packets.
> You are running argus with "-i eth1", is that the
> right interface?  Try running argus without the -i
> option to see if it gets any packets on other interfaces.
>
>    If you create a ".debug" file in the argus source
> you can enable debug reporting in all argus programs.
>
> % cd argus.root
> % touch .debug
> % ./configure
> % make clean
> % make
>
> the new binaries will printout debug statements when
> you add the "-d level" option to the command line.
> That will be our next step if we can't find any packets
> anywhere.
>
> Carter
>
> Carter Bullard
> QoSient, LLC
> 300 E. 56th Street, Suite 18K
> New York, New York  10022
>
> carter at qosient.com
> Phone +1 212 588-9133
> Fax   +1 212 588-9134
> http://qosient.com
>
> > -----Original Message-----
> > From: Michael Anderson [mailto:mca at arlut.utexas.edu]
> > Sent: Thursday, October 18, 2001 11:44 AM
> > To: carter at qosient.com
> > Cc: argus-info at lists.andrew.cmu.edu
> > Subject: Re: new user needs help
> >
> >
> > Hey Carter,
> > Thanks for replying.  Ok, I ran tcpdump on the interface and
> > it is definately capturing packets.  Snort is also running on
> > the interface and is capturing packets and generating alerts.
> >  I am using ra -rn to read the output file.  The output looks
> > like this:
> > 18 Oct 01 09:44:13    man version=2.0     probeid=10.6.1.17
> > STA
> > 18 Oct 01 09:44:13    man  pkts         0  bytes            0
> >  drops     0
> > CON
> > 18 Oct 01 09:49:13    man  pkts         0  bytes            0
> >  drops     0
> > CON
> > 18 Oct 01 09:54:13    man  pkts         0  bytes            0
> >  drops     0
> > CON
> > 18 Oct 01 09:59:13    man  pkts         0  bytes            0
> >  drops     0
> > CON
> > 18 Oct 01 10:04:13    man  pkts         0  bytes            0
> >  drops     0
> > CON
> > 18 Oct 01 10:09:13    man  pkts         0  bytes            0
> >  drops     0
> > CON
> > 18 Oct 01 10:14:13    man  pkts         0  bytes            0
> >  drops     0
> > CON
> > 18 Oct 01 10:19:13    man  pkts         0  bytes            0
> >  drops     0
> > CON
> > 18 Oct 01 10:24:13    man  pkts         0  bytes            0
> >  drops     0
> > CON
> >
> > I don't think its a horsepower problem.  The machine I'm
> > running all of these tools on is a dual PIII 800 MHZ with Red Hat 7.1.
> >
> > Thanks,
> > Mike
> >
> > Carter Bullard wrote:
> >
> > > Hey Mike,
> > >    Hmmm, well there are a number of possibilities, but
> > > first a few stupid questions.  How does the file indicate
> > that there
> > > are no connections?  It may take a seconds before the file has any
> > > data in it, depending on the how the system flushes pages and how
> > > argus is configured. You may not get any flow records
> > generated for 30
> > > seconds with your -S 30 option, so you may just need to be patient.
> > >
> > >    The best test is to run tcpdump on the interface, to
> > > see that there really are packets coming from that interface.
> > > Depending on the system, you can have any number of libpcap based
> > > packet readers on a single interface, but if you don't have the
> > > horsepower, you may drop packets.
> > >
> > >    Check that there really are packets on the interface
> > > and if so, wait a few minutes, and then see if there is
> > anything being
> > > collected.  If not, then there are a few other things to do.
> > >
> > > Carter
> > >
> > > Carter Bullard
> > > QoSient, LLC
> > > 300 E. 56th Street, Suite 18K
> > > New York, New York  10022
> > >
> > > carter at qosient.com
> > > Phone +1 212 588-9133
> > > Fax   +1 212 588-9134
> > > http://qosient.com
> > >
> > > > -----Original Message-----
> > > I am a new argus user.  I have built and installed argus 2.0.3.  I
> > > then started argus as: argus -d -e `hostname` -i eth1 -U128
> > -mRS 30 -w
> > > /var/log/argus/argus.out. It seems to start up OK and the
> > output file
> > > is generated. However, the data in the file indicates that argus is
> > > not seeing any connections.  I'm running snort on the same
> > interface.
> > > Can I have only 1 packet capture utility on the interface
> > at a time?
> > > Any ideas as to why argus is not seeing any data.
> > >
> > > Thanks,
> > > Mike
> >
> >

More information about the argus mailing list