argus output file messed up

Carter Bullard carter at qosient.com
Tue Feb 5 20:29:58 EST 2002 

Hey Mike,
   Try out argus-2.0.5.beta.1 from the dev section
to get past the problems with the libpcap distributed
with RH 7.2.

   Yes, it looks like you have two processes writing to
the same file at the same time.  This is not a good thing
and is probably the cause of your corruption.  
This can happen if argus reads its configuration
file more than once, or if an output file is specified
in the /etc/argus.conf file and also on the command line.

   Argus will always read the /etc/argus.conf prior to
any processing, but it could also find an argus.conf in
the callers home directory, and possibly in the $ARGUSPATH
environment variable if its is defined.

   How are you calling argus?

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Mike Iglesias
> Sent: Tuesday, February 05, 2002 6:53 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: argus output file messed up
> 
> 
> I'm starting to setup argus 2.0.4 on a dual 1ghz processor 
> system running RedHat Linux 7.2.  I compiled the software 
> (using libpcap 6.2 since the one that came with RH 7.2 broke 
> it) and used the sample config file when I started it up.  A 
> copy of the non-comment lines in the argus.conf file are below.
> 
> argus runs fine - the output file is getting updated since 
> the network is somewhat busy.  But when I run ra, I get 
> strange output a few hundred records into the file.  The 
> output of "ra -r argus.out" looks like this:
> 
> 05 Feb 02 14:58:15    arp   128.200.34.41     who-has   
> 128.200.34.12       CON
> 05 Feb 02 14:58:15    tcp    64.152.75.12.51464  ->      
> 128.200.34.8.80    RST
> 29 Apr 74 12:54:40   unkn      0:10:0:0:5:8     <->      
> f3:3c:0:0:0:0      CON
> 29 Mar 70 15:43:00   unkn  e7:3c:60:63:8c:0     <->       
> 48:0:0:0:0:8      CON
> 31 Dec 69 16:00:00   unkn       0:0:0:0:0:0     <-       
> 3c:0:0:0:0:10      
> ra[2131]: ArgusHandleDatum(0xaf8) input record 8716 size = 118685696
> 
> The last couple of lines with -D 8 look like this:
> 
> 05 Feb 02 14:58:15    tcp    64.152.75.12.51464  ->      
> 128.200.34.8.80    RST
> ra[2135]: 05 Feb 02 14:58:25 ArgusProcessRecord (0xbfffe560) returning
> ra[2135]: 05 Feb 02 14:58:25 ArgusHandleDatum (0x813ed20, 
> 0x806eab0) returning 0ra[2135]: 05 Feb 02 14:58:25 
> ArgusReadStreamSocket (0x8135350) returning 0
> ra[2135]: 05 Feb 02 14:58:25 ArgusReadStreamSocket 
> (0x8135350) starting
> ra[2135]: 05 Feb 02 14:58:25 ArgusReadStreamSocket 
> (0x8135350) read 16 bytes
> ra[2135]: 05 Feb 02 14:58:25 ArgusReadStreamSocket 
> (0x8135350) returning 0
> ra[2135]: 05 Feb 02 14:58:25 ArgusReadStreamSocket 
> (0x8135350) starting
> ra[2135]: 05 Feb 02 14:58:25 ArgusReadStreamSocket 
> (0x8135350) read 2245 bytes
> ra[2135]: 05 Feb 02 14:58:25 ArgusGenerateCanonicalRecord 
> (0x813ed20, 0xbfffe3f0) returning
> 29 Apr 74 12:54:40   unkn      0:10:0:0:5:8     <->      
> f3:3c:0:0:0:0      CON
> ra[2135]: 31 Dec 69 21:41:20 ArgusProcessRecord (0xbfffe560) returning
> ra[2135]: 31 Dec 69 21:41:20 ArgusHandleDatum (0x813ed20, 
> 0x806eab0) returning 0ra[2135]: 31 Dec 69 21:41:20 
> ArgusReadStreamSocket (0x8135350) returning 0
> ra[2135]: 31 Dec 69 21:41:20 ArgusReadStreamSocket 
> (0x8135350) starting
> ra[2135]: 31 Dec 69 21:41:20 ArgusReadStreamSocket 
> (0x8135350) read 16 bytes
> ra[2135]: 31 Dec 69 21:41:20 ArgusReadStreamSocket 
> (0x8135350) returning 0
> ra[2135]: 31 Dec 69 21:41:20 ArgusReadStreamSocket 
> (0x8135350) starting
> ra[2135]: 31 Dec 69 21:41:20 ArgusReadStreamSocket 
> (0x8135350) read 496 bytes
> ra[2135]: 31 Dec 69 21:41:20 ArgusGenerateCanonicalRecord 
> (0x813ed20, 0xbfffe3f0) returning
> 29 Mar 70 15:43:00   unkn  e7:3c:60:63:8c:0     <->       
> 48:0:0:0:0:8      CON
> ra[2135]: 29 Jun 70 07:31:36 ArgusProcessRecord (0xbfffe560) returning
> ra[2135]: 29 Jun 70 07:31:36 ArgusHandleDatum (0x813ed20, 
> 0x806eab0) returning 0ra[2135]: 29 Jun 70 07:31:36 
> ArgusReadStreamSocket (0x8135350) returning 0
> ra[2135]: 29 Jun 70 07:31:36 ArgusReadStreamSocket 
> (0x8135350) starting
> ra[2135]: 29 Jun 70 07:31:36 ArgusReadStreamSocket 
> (0x8135350) read 16 bytes
> ra[2135]: 29 Jun 70 07:31:36 ArgusReadStreamSocket 
> (0x8135350) returning 0
> ra[2135]: 29 Jun 70 07:31:36 ArgusReadStreamSocket 
> (0x8135350) starting
> ra[2135]: 29 Jun 70 07:31:36 ArgusReadStreamSocket 
> (0x8135350) read 1795 bytes
> ra[2135]: 29 Jun 70 07:31:36 ArgusGenerateCanonicalRecord 
> (0x813ed20, 0xbfffe3f0) returning
> 31 Dec 69 16:00:00   unkn       0:0:0:0:0:0     <-       
> 3c:0:0:0:0:10      
> ra[2135]: 31 Dec 69 16:00:00 ArgusProcessRecord (0xbfffe560) returning
> ra[2135]: 31 Dec 69 16:00:00 ArgusHandleDatum (0x813ed20, 
> 0x806eab0) returning 0ra[2135]: 31 Dec 69 16:00:00 
> ArgusReadStreamSocket (0x8135350) returning 0
> ra[2135]: 31 Dec 69 16:00:00 ArgusReadStreamSocket 
> (0x8135350) starting
> ra[2135]: 31 Dec 69 16:00:00 ArgusReadStreamSocket 
> (0x8135350) read 16 bytes
> ra[2135]: 31 Dec 69 16:00:00 ArgusReadStreamSocket 
> (0x8135350) returning 0
> ra[2135]: 31 Dec 69 16:00:00 ArgusReadStreamSocket 
> (0x8135350) starting
> ra[2135]: 31 Dec 69 16:00:00 ArgusReadStreamSocket 
> (0x8135350) read 8700 bytes
> ra[2135]: ArgusHandleDatum(0xaf8) input record 8716 size = 118685696
> ra[2135]: 31 Dec 69 16:00:00 ArgusShutDown (-1)
> 
> It looks like something has trashed the file at this point.
> 
> There are 4 argus processes running when I start it up, with 
> two having the argus.out file open.
> 
> Any suggestions?  Help?
> 
> 
> Mike Iglesias                          Internet:    
> iglesias at draco.acs.uci.edu
> University of California, Irvine       phone:       949-824-6926
> Network & Academic Computing Services  FAX:         949-824-2069
> 
> Here are the relevant lines from argus.conf:
> 
> ARGUS_MONITOR_ID=`hostname`
> ARGUS_INTERFACE=eth1
> ARGUS_OUTPUT_FILE=/log/argus/argus.out
> ARGUS_SET_PID=yes
> ARGUS_GO_PROMISCUOUS=yes
> ARGUS_FLOW_STATUS_INTERVAL=120
> ARGUS_MAR_STATUS_INTERVAL=300 ARGUS_GENERATE_RESPONSE_TIME_DATA=no
> ARGUS_GENERATE_JITTER_DATA=no 
> ARGUS_GENERATE_MAC_DATA=no
> ARGUS_CAPTURE_DATA_LEN=0
> ARGUS_FILTER_OPTIMIZER=yes
> ARGUS_FILTER=""
> 
> 
>

More information about the argus mailing list