argus showing packets tcpdump does not?
Kevin Littlejohn
darius at obsidian.com.au
Fri Apr 19 09:41:13 EDT 2002
Hi all,
I've got a bit of a problem on my hands here, trying to work out why.
Two of my servers have started showing high levels of traffic - they're
in a hosting facility, and I couldn't for the life of me work out what
the traffic was, until I threw argus on them in an attempt to get some
easier categorising of what was going on. Lo and behold, argus tells me
there's multicast traffic on the network.
What's got me baffled is, tcpdump can't see said traffic -
tcpdump -n ip multicast just sits there dumbly. Likewise, iptraf shows
nothing particularly out of the ordinary.
The problem I'm facing is the hosting facility techs are having trouble
seeing this traffic too. So unless I can prove that argus is telling
the truth (and I'm fairly sure it is), I'm going to have trouble working
out a solution.
So, any clues or pointers? Anyone had similar problems? Any ideas on
what else I could do to debug? Running linux-2.4.17 kernel on one
machine, 2.2.18 kernel on the other - the 2.4 does not have multicast
compiled into the kernel, the 2.2 does. Funnily enough, pinging the
multicast address in question (229.97.122.203) from the 2.2 generates
packets that the 2.4 kernel _can_ see.
Sample argus line:
04-19-02 23:11:02.007898 300.105560 man 229.97.122.203
v2.0 130 50 7172 0
934960 24 CON
KevinL
(hopeful)
--
Internet techie Obsidian Consulting Group
Phone: +613 9653 9364 Fax: +613 9354 2681
http://www.obsidian.com.au/ darius at obsidian.com.au
More information about the argus
mailing list