Monitoring two interfaces

Thu Sep 5 07:53:45 EDT 2002

Hey Andrew,
   Put two ARGUS_INTERFACE lines in the config.   The numbers
seem a bit weird, I've not seen that.  Is it coming from the
shell?  If you have time, send a copy of the output to
the list, so we can all take a look.

   In the /var/log/messages file, you should see a few messages
from argus saying if the interfaces are up.  That is the best
indicator if argus is reading from both interfaces.

   Argus handles a lot of encapsulations, and so it should
deal with VLAN tags well.  It preserves 802.1Q vlan tags in
its output, so when you read the Argus output with ra(), if
the "ind" field has a 'q' in it, that's where an 802.1Q tag
was seen on the flow.

   If you're having any problems, don't hesitate to send mail
to the list!!!!

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street
Suite 18K
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Andrew Pollock
> Sent: Thursday, September 05, 2002 1:49 AM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Monitoring two interfaces
> 
> 
> Hi,
> 
> The comments in the config file for Argus say that it can 
> monitor up to two interfaces. I'm unsure of if you specify 
> the two interfaces on one ARGUS_INTERFACE line, or specify 
> two ARGUS_INTERFACE lines.
> 
> I've tried the latter and Argus runs, but spits out a bunch 
> of numbers as it starts (1 6 0 0 96). Not sure if this means 
> anything in particular.
> 
> I'm still trying to determine if I've set up my span ports 
> correctly, so I'm not sure if Argus is actually sucessfully 
> monitoring both interfaces or not.
> 
> Side question, can Argus handle packets with VLAN tagging in them?
> 
> Andrew
> 