Monitoring two interfaces

Carter Bullard carter at qosient.com
Tue Sep 10 08:12:56 EDT 2002 

Hey Andrew,
   Hmmmm, well, argus definitely decodes 802.1Q, no problem
with that.  If etherpeek and tcpdump are also having
problems decoding these packets, then they probably
are not standard 802.1Q.  What is it?

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street
Suite 18K
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax


> -----Original Message-----
> From: Andrew Pollock [mailto:andrew at andrew.net.au] 
> Sent: Friday, September 06, 2002 10:16 PM
> To: Carter Bullard
> Subject: RE: Monitoring two interfaces
> 
> 
> On 06.09.2002 at 20:47:03, Carter Bullard <carter at qosient.com> wrote:
> 
> > Hey Andrew,
> >    You shouldn't need to put the "-F /etc/argus.conf" on
> > the command line, argus should try to use this configuration
> > as the default.  Are you running ISL vlans, the nefarious
> > Cisco vlan tagging technology that few seem to be able
> > to decode with any regularity?  I'll look to see if I can
> > add ISL support to argus quickly.  Possibly next week.
> 
> No, I'm not using ISL trunking, I'm using "dot1q".
> 
> > Carter
> > 
> > Carter Bullard
> > QoSient, LLC
> > 300 E. 56th Street
> > Suite 18K
> > New York, New York 10022
> > 
> > +1 212 588-9133 Phone
> > +1 212 588-9134 Fax
> > 
> > > -----Original Message-----
> > > From: owner-argus-info at lists.andrew.cmu.edu
> > > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> > > Andrew Pollock
> > > Sent: Friday, September 06, 2002 2:06 AM
> > > To: Carter Bullard
> > > Cc: argus-info at lists.andrew.cmu.edu
> > > Subject: RE: Monitoring two interfaces
> > > 
> > > 
> > > On Thu, 5 Sep 2002, Carter Bullard wrote:
> > > 
> > > > Hey Andrew,
> > > >    Put two ARGUS_INTERFACE lines in the config.   The numbers
> > > > seem a bit weird, I've not seen that.  Is it coming from
> > > the shell?
> > > > If you have time, send a copy of the output to the list, so
> > > we can all
> > > > take a look.
> > > 
> > > Here's what's in my config:
> > > 
> > > babbage:~# grep INTERFACE /etc/argus.conf ARGUS_INTERFACE=eth0
> > > ARGUS_INTERFACE=eth1
> > > 
> > > And here's the output:
> > > 
> > > babbage:~# /usr/sbin/argus -w /var/log/argus/argus.log -F
> > > /etc/argus.conf -c /var/run/argus.pid
> > > argus[26085]: started
> > > babbage:~# 1
> > > 6 0 0 96
> > > 
> > > >    In the /var/log/messages file, you should see a few
> > > messages from
> > > > argus saying if the interfaces are up.  That is the best
> > > indicator if
> > > > argus is reading from both interfaces.
> > > 
> > > Both interfaces go into promiscuous mode, so I guess it's 
> working...
> > > 
> > > >    Argus handles a lot of encapsulations, and so it should
> > > deal with
> > > > VLAN tags well.  It preserves 802.1Q vlan tags in its
> > > output, so when
> > > > you read the Argus output with ra(), if the "ind" field has
> > > a 'q' in
> > > > it, that's where an 802.1Q tag was seen on the flow.
> > > 
> > > Sigh. Sometimes I wonder if I know enough about what I'm
> > > talking about to be able to ask the right questions...
> > > 
> > > I've got a Cisco 2924XL switch setup with a monitor port
> > > monitoring the trunk port (which has all the stuff I want to 
> > > be able to account for running over it).
> > > 
> > > Problem is, it's all VLAN tagged. If I do a tcpdump, I can't
> > > see anything too legible. If I do a tcpdump to a file and run 
> > > Ethereal over it, it doesn't tell me much either. Lots of 
> > > Link-Layer Control packets. Argus shows a bit of stuff, but 
> > > not the amounts of HTTP traffic that I'd expect to be seeing, 
> > > and lots of LLC records.
> > > 
> > > I think the crux of the problem lies with the switch
> > > configuration at this stage.
> > > 
> > > >    If you're having any problems, don't hesitate to send
> > > mail to the
> > > > list!!!!
> > > 
> > > Here I am (again, more, still) :-)
> > > 
> > > 
> > 
> > 
>

More information about the argus mailing list