argus showing packets tcpdump does not?

Carter Bullard carter at qosient.com
Fri Apr 19 09:58:46 EDT 2002 

Hey Kevin,
   The example record that you sent was a "man" record,
or internal argus management record.  The address in
this record is the argus probe identifier, which is 
229.97.122.203.  This is not data on the wire, but a
record that states how many flows, packets, bytes, etc,
that this particular argus has seen in the last interval.

   The best way to test if there is multicast in your
argus data is to use a ra filter like:

   ra -r file - multicast

These man records should not come up.

Sorry if this was a wild goose chase.  You may want to
try ratop(), out of the argus-clients distribution to
try to figure out what is going on in your network.
ftp://qosient.com/dev/argus-2.0

I have new versions that should come out in 2-3 weeks,
if the ratop that is there gives you too much trouble.


Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com


> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Kevin Littlejohn
> Sent: Friday, April 19, 2002 9:41 AM
> To: argus-info at lists.andrew.cmu.edu
> Subject: argus showing packets tcpdump does not?
> 
> 
> Hi all,
> 
> I've got a bit of a problem on my hands here, trying to work out why. 
> Two of my servers have started showing high levels of traffic 
> - they're
> in a hosting facility, and I couldn't for the life of me work out what
> the traffic was, until I threw argus on them in an attempt to get some
> easier categorising of what was going on.  Lo and behold, 
> argus tells me
> there's multicast traffic on the network.
> 
> What's got me baffled is, tcpdump can't see said traffic -
> tcpdump -n ip multicast just sits there dumbly.  Likewise, 
> iptraf shows
> nothing particularly out of the ordinary.
> 
> The problem I'm facing is the hosting facility techs are 
> having trouble
> seeing this traffic too.  So unless I can prove that argus is telling
> the truth (and I'm fairly sure it is), I'm going to have 
> trouble working
> out a solution.
> 
> So, any clues or pointers?  Anyone had similar problems?  Any ideas on
> what else I could do to debug?  Running linux-2.4.17 kernel on one
> machine, 2.2.18 kernel on the other - the 2.4 does not have multicast
> compiled into the kernel, the 2.2 does.  Funnily enough, pinging the
> multicast address in question (229.97.122.203) from the 2.2 generates
> packets that the 2.4 kernel _can_ see.
> 
> Sample argus line:
> 04-19-02 23:11:02.007898      300.105560           man  229.97.122.203
> v2.0             130             50         7172     0        
> 934960       24          CON
> 
> KevinL
> (hopeful)
> -- 
> Internet techie                    Obsidian Consulting Group
> Phone: +613 9653 9364                    Fax: +613 9354 2681
> http://www.obsidian.com.au/           darius at obsidian.com.au
> 
> 
>

More information about the argus mailing list