Monitoring two interfaces

[Andrew Pollock]

On Thu, 5 Sep 2002, Carter Bullard wrote:

> Hey Andrew,
>    Put two ARGUS_INTERFACE lines in the config.   The numbers
> seem a bit weird, I've not seen that.  Is it coming from the
> shell?  If you have time, send a copy of the output to
> the list, so we can all take a look.

Here's what's in my config:

babbage:~# grep INTERFACE /etc/argus.conf
ARGUS_INTERFACE=eth0
ARGUS_INTERFACE=eth1

And here's the output:

babbage:~# /usr/sbin/argus -w /var/log/argus/argus.log -F /etc/argus.conf
-c /var/run/argus.pid
argus[26085]: started
babbage:~# 1
6 0 0 96

>    In the /var/log/messages file, you should see a few messages
> from argus saying if the interfaces are up.  That is the best
> indicator if argus is reading from both interfaces.

Both interfaces go into promiscuous mode, so I guess it's working...

>    Argus handles a lot of encapsulations, and so it should
> deal with VLAN tags well.  It preserves 802.1Q vlan tags in
> its output, so when you read the Argus output with ra(), if
> the "ind" field has a 'q' in it, that's where an 802.1Q tag
> was seen on the flow.

Sigh. Sometimes I wonder if I know enough about what I'm talking about to
be able to ask the right questions...

I've got a Cisco 2924XL switch setup with a monitor port monitoring the
trunk port (which has all the stuff I want to be able to account for
running over it).

Problem is, it's all VLAN tagged. If I do a tcpdump, I can't see anything
too legible. If I do a tcpdump to a file and run Ethereal over it, it
doesn't tell me much either. Lots of Link-Layer Control packets. Argus
shows a bit of stuff, but not the amounts of HTTP traffic that I'd expect
to be seeing, and lots of LLC records.

I think the crux of the problem lies with the switch configuration at this
stage.

>    If you're having any problems, don't hesitate to send mail
> to the list!!!!

Here I am (again, more, still) :-)