argus output file messed up

Mike Iglesias iglesias at draco.acs.uci.edu
Tue Feb 5 18:53:06 EST 2002 

I'm starting to setup argus 2.0.4 on a dual 1ghz processor system running
RedHat Linux 7.2.  I compiled the software (using libpcap 6.2 since
the one that came with RH 7.2 broke it) and used the sample config
file when I started it up.  A copy of the non-comment lines in
the argus.conf file are below.

argus runs fine - the output file is getting updated since the network is
somewhat busy.  But when I run ra, I get strange output a few hundred
records into the file.  The output of "ra -r argus.out" looks
like this:

05 Feb 02 14:58:15    arp   128.200.34.41     who-has   128.200.34.12       CON
05 Feb 02 14:58:15    tcp    64.152.75.12.51464  ->      128.200.34.8.80    RST
29 Apr 74 12:54:40   unkn      0:10:0:0:5:8     <->      f3:3c:0:0:0:0      CON
29 Mar 70 15:43:00   unkn  e7:3c:60:63:8c:0     <->       48:0:0:0:0:8      CON
31 Dec 69 16:00:00   unkn       0:0:0:0:0:0     <-       3c:0:0:0:0:10      
ra[2131]: ArgusHandleDatum(0xaf8) input record 8716 size = 118685696

The last couple of lines with -D 8 look like this:

05 Feb 02 14:58:15    tcp    64.152.75.12.51464  ->      128.200.34.8.80    RST
ra[2135]: 05 Feb 02 14:58:25 ArgusProcessRecord (0xbfffe560) returning
ra[2135]: 05 Feb 02 14:58:25 ArgusHandleDatum (0x813ed20, 0x806eab0) returning 0ra[2135]: 05 Feb 02 14:58:25 ArgusReadStreamSocket (0x8135350) returning 0
ra[2135]: 05 Feb 02 14:58:25 ArgusReadStreamSocket (0x8135350) starting
ra[2135]: 05 Feb 02 14:58:25 ArgusReadStreamSocket (0x8135350) read 16 bytes
ra[2135]: 05 Feb 02 14:58:25 ArgusReadStreamSocket (0x8135350) returning 0
ra[2135]: 05 Feb 02 14:58:25 ArgusReadStreamSocket (0x8135350) starting
ra[2135]: 05 Feb 02 14:58:25 ArgusReadStreamSocket (0x8135350) read 2245 bytes
ra[2135]: 05 Feb 02 14:58:25 ArgusGenerateCanonicalRecord (0x813ed20, 0xbfffe3f0) returning
29 Apr 74 12:54:40   unkn      0:10:0:0:5:8     <->      f3:3c:0:0:0:0      CON
ra[2135]: 31 Dec 69 21:41:20 ArgusProcessRecord (0xbfffe560) returning
ra[2135]: 31 Dec 69 21:41:20 ArgusHandleDatum (0x813ed20, 0x806eab0) returning 0ra[2135]: 31 Dec 69 21:41:20 ArgusReadStreamSocket (0x8135350) returning 0
ra[2135]: 31 Dec 69 21:41:20 ArgusReadStreamSocket (0x8135350) starting
ra[2135]: 31 Dec 69 21:41:20 ArgusReadStreamSocket (0x8135350) read 16 bytes
ra[2135]: 31 Dec 69 21:41:20 ArgusReadStreamSocket (0x8135350) returning 0
ra[2135]: 31 Dec 69 21:41:20 ArgusReadStreamSocket (0x8135350) starting
ra[2135]: 31 Dec 69 21:41:20 ArgusReadStreamSocket (0x8135350) read 496 bytes
ra[2135]: 31 Dec 69 21:41:20 ArgusGenerateCanonicalRecord (0x813ed20, 0xbfffe3f0) returning
29 Mar 70 15:43:00   unkn  e7:3c:60:63:8c:0     <->       48:0:0:0:0:8      CON
ra[2135]: 29 Jun 70 07:31:36 ArgusProcessRecord (0xbfffe560) returning
ra[2135]: 29 Jun 70 07:31:36 ArgusHandleDatum (0x813ed20, 0x806eab0) returning 0ra[2135]: 29 Jun 70 07:31:36 ArgusReadStreamSocket (0x8135350) returning 0
ra[2135]: 29 Jun 70 07:31:36 ArgusReadStreamSocket (0x8135350) starting
ra[2135]: 29 Jun 70 07:31:36 ArgusReadStreamSocket (0x8135350) read 16 bytes
ra[2135]: 29 Jun 70 07:31:36 ArgusReadStreamSocket (0x8135350) returning 0
ra[2135]: 29 Jun 70 07:31:36 ArgusReadStreamSocket (0x8135350) starting
ra[2135]: 29 Jun 70 07:31:36 ArgusReadStreamSocket (0x8135350) read 1795 bytes
ra[2135]: 29 Jun 70 07:31:36 ArgusGenerateCanonicalRecord (0x813ed20, 0xbfffe3f0) returning
31 Dec 69 16:00:00   unkn       0:0:0:0:0:0     <-       3c:0:0:0:0:10      
ra[2135]: 31 Dec 69 16:00:00 ArgusProcessRecord (0xbfffe560) returning
ra[2135]: 31 Dec 69 16:00:00 ArgusHandleDatum (0x813ed20, 0x806eab0) returning 0ra[2135]: 31 Dec 69 16:00:00 ArgusReadStreamSocket (0x8135350) returning 0
ra[2135]: 31 Dec 69 16:00:00 ArgusReadStreamSocket (0x8135350) starting
ra[2135]: 31 Dec 69 16:00:00 ArgusReadStreamSocket (0x8135350) read 16 bytes
ra[2135]: 31 Dec 69 16:00:00 ArgusReadStreamSocket (0x8135350) returning 0
ra[2135]: 31 Dec 69 16:00:00 ArgusReadStreamSocket (0x8135350) starting
ra[2135]: 31 Dec 69 16:00:00 ArgusReadStreamSocket (0x8135350) read 8700 bytes
ra[2135]: ArgusHandleDatum(0xaf8) input record 8716 size = 118685696
ra[2135]: 31 Dec 69 16:00:00 ArgusShutDown (-1)

It looks like something has trashed the file at this point.

There are 4 argus processes running when I start it up, with two having
the argus.out file open.

Any suggestions?  Help?


Mike Iglesias                          Internet:    iglesias at draco.acs.uci.edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2069

Here are the relevant lines from argus.conf:

ARGUS_MONITOR_ID=`hostname`
ARGUS_INTERFACE=eth1
ARGUS_OUTPUT_FILE=/log/argus/argus.out
ARGUS_SET_PID=yes
ARGUS_GO_PROMISCUOUS=yes
ARGUS_FLOW_STATUS_INTERVAL=120
ARGUS_MAR_STATUS_INTERVAL=300
ARGUS_GENERATE_RESPONSE_TIME_DATA=no
ARGUS_GENERATE_JITTER_DATA=no 
ARGUS_GENERATE_MAC_DATA=no
ARGUS_CAPTURE_DATA_LEN=0
ARGUS_FILTER_OPTIMIZER=yes
ARGUS_FILTER=""

More information about the argus mailing list