Monitoring two interfaces

Tue Nov 19 21:21:02 EST 2002

this is intresting
this would appear to place the argus data from two interfaces into one argus
data file
this would be good for us - reduce the number of argus machines, put the
data in one data file
for most purposes
ther will be occasion to segregate the data according to the interface it
crossed
in the ra command i see the i option is print source probe ID   is this the
interface ID?
is ther a way to breakout the data by the interface it crossed if the
occasion does arise?

-----Original Message-----
From: Andrew Pollock [mailto:andrew-argus at andrew.net.au]
Sent: Thursday, September 05, 2002 10:06 PM
To: Carter Bullard
Cc: argus-info at lists.andrew.cmu.edu
Subject: RE: Monitoring two interfaces

On Thu, 5 Sep 2002, Carter Bullard wrote:

> Hey Andrew,
>    Put two ARGUS_INTERFACE lines in the config.   The numbers
> seem a bit weird, I've not seen that.  Is it coming from the
> shell?  If you have time, send a copy of the output to
> the list, so we can all take a look.

Here's what's in my config:

babbage:~# grep INTERFACE /etc/argus.conf
ARGUS_INTERFACE=eth0
ARGUS_INTERFACE=eth1

And here's the output:

babbage:~# /usr/sbin/argus -w /var/log/argus/argus.log -F /etc/argus.conf
-c /var/run/argus.pid
argus[26085]: started
babbage:~# 1
6 0 0 96

>    In the /var/log/messages file, you should see a few messages
> from argus saying if the interfaces are up.  That is the best
> indicator if argus is reading from both interfaces.

Both interfaces go into promiscuous mode, so I guess it's working...

>    Argus handles a lot of encapsulations, and so it should
> deal with VLAN tags well.  It preserves 802.1Q vlan tags in
> its output, so when you read the Argus output with ra(), if
> the "ind" field has a 'q' in it, that's where an 802.1Q tag
> was seen on the flow.

Sigh. Sometimes I wonder if I know enough about what I'm talking about to
be able to ask the right questions...

I've got a Cisco 2924XL switch setup with a monitor port monitoring the
trunk port (which has all the stuff I want to be able to account for
running over it).

Problem is, it's all VLAN tagged. If I do a tcpdump, I can't see anything
too legible. If I do a tcpdump to a file and run Ethereal over it, it
doesn't tell me much either. Lots of Link-Layer Control packets. Argus
shows a bit of stuff, but not the amounts of HTTP traffic that I'd expect
to be seeing, and lots of LLC records.

I think the crux of the problem lies with the switch configuration at this
stage.

>    If you're having any problems, don't hesitate to send mail
> to the list!!!!

Here I am (again, more, still) :-)