new user needs help
Carter Bullard
carter at qosient.com
Thu Oct 18 12:37:46 EDT 2001
Hey Michael,
Add an unroutable address to your interface, and it will
probably start working. Argus wants to know the interface's
address. I'm not sure what it will do if it doesn't get
one, on some OS's. I'll take a look at it.
Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York 10022
carter at qosient.com
Phone +1 212 588-9133
Fax +1 212 588-9134
http://qosient.com
> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
> Michael Anderson
> Sent: Thursday, October 18, 2001 12:14 PM
> To: carter at qosient.com; argus-info at lists.andrew.cmu.edu
> Subject: Re: new user needs help
>
>
> Hey Carter,
> I tried running argus without -i and it does not see any
> packets on the default interface. I definately want eth1
> though. I should also note that eth1 is up and in
> promiscuous mode but it does not have an ip address assigned
> to it. I added in debug reporting and reran argus with -D 8.
> Argus goes through initialization steps and then I get the
> following statements printed out over and over again (not
> necessarily in the same order every time) until I terminate argus:
> argus[28402]: 1003420383 ArgusWriteOutSocket(0x40016da0): queue empty
> argus[28402]: 1003420383 ArgusWriteOutSocket (0x8159090) 0
> records waiting. returning 0
> argus[28402]: 1003420383 ArgusHandleData(0x0, 0) returning 0
> argus[28402]: 1003420384 ArgusUpdateTime () returning 0
> argus[28401]: 1003420384 ArgusUpdateTime () returning 1
> argus[28401]: 1003420384 ArgusProcessQueue (0x81443b8, 4) returning
> argus[28401]: 1003420384 ArgusSystemTimeout () returning
> argus[28403]: 1003420384 ArgusUpdateTime () returning 0
> argus[28402]: 1003420384 ArgusUpdateTime () returning 1
>
> Thanks,
> Mike
>
> Carter Bullard wrote:
>
> > Hey Mike,
> > Well, you definitely aren't getting any packets.
> > You are running argus with "-i eth1", is that the
> > right interface? Try running argus without the -i
> > option to see if it gets any packets on other interfaces.
> >
> > If you create a ".debug" file in the argus source
> > you can enable debug reporting in all argus programs.
> >
> > % cd argus.root
> > % touch .debug
> > % ./configure
> > % make clean
> > % make
> >
> > the new binaries will printout debug statements when
> > you add the "-d level" option to the command line.
> > That will be our next step if we can't find any packets anywhere.
> >
> > Carter
> >
> > Carter Bullard
> > QoSient, LLC
> > 300 E. 56th Street, Suite 18K
> > New York, New York 10022
> >
> > carter at qosient.com
> > Phone +1 212 588-9133
> > Fax +1 212 588-9134
> > http://qosient.com
> >
> > > -----Original Message-----
> > > From: Michael Anderson [mailto:mca at arlut.utexas.edu]
> > > Sent: Thursday, October 18, 2001 11:44 AM
> > > To: carter at qosient.com
> > > Cc: argus-info at lists.andrew.cmu.edu
> > > Subject: Re: new user needs help
> > >
> > >
> > > Hey Carter,
> > > Thanks for replying. Ok, I ran tcpdump on the interface
> and it is
> > > definately capturing packets. Snort is also running on the
> > > interface and is capturing packets and generating alerts. I am
> > > using ra -rn to read the output file. The output looks like this:
> > > 18 Oct 01 09:44:13 man version=2.0 probeid=10.6.1.17
> > > STA
> > > 18 Oct 01 09:44:13 man pkts 0 bytes 0
> > > drops 0
> > > CON
> > > 18 Oct 01 09:49:13 man pkts 0 bytes 0
> > > drops 0
> > > CON
> > > 18 Oct 01 09:54:13 man pkts 0 bytes 0
> > > drops 0
> > > CON
> > > 18 Oct 01 09:59:13 man pkts 0 bytes 0
> > > drops 0
> > > CON
> > > 18 Oct 01 10:04:13 man pkts 0 bytes 0
> > > drops 0
> > > CON
> > > 18 Oct 01 10:09:13 man pkts 0 bytes 0
> > > drops 0
> > > CON
> > > 18 Oct 01 10:14:13 man pkts 0 bytes 0
> > > drops 0
> > > CON
> > > 18 Oct 01 10:19:13 man pkts 0 bytes 0
> > > drops 0
> > > CON
> > > 18 Oct 01 10:24:13 man pkts 0 bytes 0
> > > drops 0
> > > CON
> > >
> > > I don't think its a horsepower problem. The machine I'm
> running all
> > > of these tools on is a dual PIII 800 MHZ with Red Hat 7.1.
> > >
> > > Thanks,
> > > Mike
> > >
> > > Carter Bullard wrote:
> > >
> > > > Hey Mike,
> > > > Hmmm, well there are a number of possibilities, but
> first a few
> > > > stupid questions. How does the file indicate
> > > that there
> > > > are no connections? It may take a seconds before the
> file has any
> > > > data in it, depending on the how the system flushes
> pages and how
> > > > argus is configured. You may not get any flow records
> > > generated for 30
> > > > seconds with your -S 30 option, so you may just need to be
> > > > patient.
> > > >
> > > > The best test is to run tcpdump on the interface, to
> see that
> > > > there really are packets coming from that interface.
> Depending on
> > > > the system, you can have any number of libpcap based packet
> > > > readers on a single interface, but if you don't have the
> > > > horsepower, you may drop packets.
> > > >
> > > > Check that there really are packets on the interface
> and if so,
> > > > wait a few minutes, and then see if there is
> > > anything being
> > > > collected. If not, then there are a few other things to do.
> > > >
> > > > Carter
> > > >
> > > > Carter Bullard
> > > > QoSient, LLC
> > > > 300 E. 56th Street, Suite 18K
> > > > New York, New York 10022
> > > >
> > > > carter at qosient.com
> > > > Phone +1 212 588-9133
> > > > Fax +1 212 588-9134
> > > > http://qosient.com
> > > >
> > > > > -----Original Message-----
> > > > I am a new argus user. I have built and installed
> argus 2.0.3. I
> > > > then started argus as: argus -d -e `hostname` -i eth1 -U128
> > > -mRS 30 -w
> > > > /var/log/argus/argus.out. It seems to start up OK and the
> > > output file
> > > > is generated. However, the data in the file indicates
> that argus
> > > > is not seeing any connections. I'm running snort on the same
> > > interface.
> > > > Can I have only 1 packet capture utility on the interface
> > > at a time?
> > > > Any ideas as to why argus is not seeing any data.
> > > >
> > > > Thanks,
> > > > Mike
> > >
> > >
>
>
More information about the argus
mailing list