Monitoring two interfaces

Carter Bullard carter at qosient.com
Wed Nov 20 00:05:17 EST 2002


Hey John,
   Generally, argus should open multiple interfaces
if flows are distributed across the interfaci.
So if your tapping a link and the transmit side is
mirrored to one interface and the receive side is
mirrored to another, then argus should definitely
open both interfaces.

   If the mutliple interfaces are disjoint, say
in a multi-homed host, then a better strategy is
multiple argi each opening a single interface, with
a common collector.  This will allow you to track the
interface utilization better than if you have one
argus opening multiple interfaci.

   Best way to break out the interfaces is to track
the MAC addresses, which can be supplied in each
record and to make sure that each interface has a
different address.

Hope this helps,

Carter




> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Jenkinson, John P (SAIC)
> Sent: Tuesday, November 19, 2002 9:21 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: RE: Monitoring two interfaces
> 
> 
> this is intresting
> this would appear to place the argus data from two interfaces 
> into one argus
> data file
> this would be good for us - reduce the number of argus 
> machines, put the
> data in one data file
> for most purposes
> ther will be occasion to segregate the data according to the 
> interface it
> crossed
> in the ra command i see the i option is print source probe ID 
>   is this the
> interface ID?
> is ther a way to breakout the data by the interface it crossed if the
> occasion does arise?
> 
> -----Original Message-----
> From: Andrew Pollock [mailto:andrew-argus at andrew.net.au]
> Sent: Thursday, September 05, 2002 10:06 PM
> To: Carter Bullard
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: RE: Monitoring two interfaces
> 
> 
> On Thu, 5 Sep 2002, Carter Bullard wrote:
> 
> > Hey Andrew,
> >    Put two ARGUS_INTERFACE lines in the config.   The numbers
> > seem a bit weird, I've not seen that.  Is it coming from the
> > shell?  If you have time, send a copy of the output to
> > the list, so we can all take a look.
> 
> Here's what's in my config:
> 
> babbage:~# grep INTERFACE /etc/argus.conf
> ARGUS_INTERFACE=eth0
> ARGUS_INTERFACE=eth1
> 
> And here's the output:
> 
> babbage:~# /usr/sbin/argus -w /var/log/argus/argus.log -F 
> /etc/argus.conf
> -c /var/run/argus.pid
> argus[26085]: started
> babbage:~# 1
> 6 0 0 96
> 
> >    In the /var/log/messages file, you should see a few messages
> > from argus saying if the interfaces are up.  That is the best
> > indicator if argus is reading from both interfaces.
> 
> Both interfaces go into promiscuous mode, so I guess it's working...
> 
> >    Argus handles a lot of encapsulations, and so it should
> > deal with VLAN tags well.  It preserves 802.1Q vlan tags in
> > its output, so when you read the Argus output with ra(), if
> > the "ind" field has a 'q' in it, that's where an 802.1Q tag
> > was seen on the flow.
> 
> Sigh. Sometimes I wonder if I know enough about what I'm 
> talking about to
> be able to ask the right questions...
> 
> I've got a Cisco 2924XL switch setup with a monitor port 
> monitoring the
> trunk port (which has all the stuff I want to be able to account for
> running over it).
> 
> Problem is, it's all VLAN tagged. If I do a tcpdump, I can't 
> see anything
> too legible. If I do a tcpdump to a file and run Ethereal over it, it
> doesn't tell me much either. Lots of Link-Layer Control packets. Argus
> shows a bit of stuff, but not the amounts of HTTP traffic 
> that I'd expect
> to be seeing, and lots of LLC records.
> 
> I think the crux of the problem lies with the switch 
> configuration at this
> stage.
> 
> >    If you're having any problems, don't hesitate to send mail
> > to the list!!!!
> 
> Here I am (again, more, still) :-)
> 



More information about the argus mailing list