Monitoring two interfaces

Carter Bullard carter at qosient.com
Tue Sep 10 10:11:51 EDT 2002 

Hey Andrew,
   If you can capture some of these strange "dot1q"
packets, I can snoop around a bit to see whats going
on.  Be sure and use a snap length using tcpdump of
at least 96 bytes.

Thanks!

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street
Suite 18K
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Carter Bullard
> Sent: Tuesday, September 10, 2002 8:13 AM
> To: 'Andrew Pollock'
> Cc: Argus
> Subject: RE: Monitoring two interfaces
> 
> 
> Hey Andrew,
>    Hmmmm, well, argus definitely decodes 802.1Q, no problem
> with that.  If etherpeek and tcpdump are also having
> problems decoding these packets, then they probably
> are not standard 802.1Q.  What is it?
> 
> Carter
> 
> Carter Bullard
> QoSient, LLC
> 300 E. 56th Street
> Suite 18K
> New York, New York 10022
> 
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
> 
> 
> > -----Original Message-----
> > From: Andrew Pollock [mailto:andrew at andrew.net.au] 
> > Sent: Friday, September 06, 2002 10:16 PM
> > To: Carter Bullard
> > Subject: RE: Monitoring two interfaces
> > 
> > 
> > On 06.09.2002 at 20:47:03, Carter Bullard 
> <carter at qosient.com> wrote:
> > 
> > > Hey Andrew,
> > >    You shouldn't need to put the "-F /etc/argus.conf" on
> > > the command line, argus should try to use this configuration
> > > as the default.  Are you running ISL vlans, the nefarious
> > > Cisco vlan tagging technology that few seem to be able
> > > to decode with any regularity?  I'll look to see if I can
> > > add ISL support to argus quickly.  Possibly next week.
> > 
> > No, I'm not using ISL trunking, I'm using "dot1q".
> > 
> > > Carter
> > > 
> > > Carter Bullard
> > > QoSient, LLC
> > > 300 E. 56th Street
> > > Suite 18K
> > > New York, New York 10022
> > > 
> > > +1 212 588-9133 Phone
> > > +1 212 588-9134 Fax
> > > 
> > > > -----Original Message-----
> > > > From: owner-argus-info at lists.andrew.cmu.edu
> > > > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> > > > Andrew Pollock
> > > > Sent: Friday, September 06, 2002 2:06 AM
> > > > To: Carter Bullard
> > > > Cc: argus-info at lists.andrew.cmu.edu
> > > > Subject: RE: Monitoring two interfaces
> > > > 
> > > > 
> > > > On Thu, 5 Sep 2002, Carter Bullard wrote:
> > > > 
> > > > > Hey Andrew,
> > > > >    Put two ARGUS_INTERFACE lines in the config.   The numbers
> > > > > seem a bit weird, I've not seen that.  Is it coming from
> > > > the shell?
> > > > > If you have time, send a copy of the output to the list, so
> > > > we can all
> > > > > take a look.
> > > > 
> > > > Here's what's in my config:
> > > > 
> > > > babbage:~# grep INTERFACE /etc/argus.conf ARGUS_INTERFACE=eth0
> > > > ARGUS_INTERFACE=eth1
> > > > 
> > > > And here's the output:
> > > > 
> > > > babbage:~# /usr/sbin/argus -w /var/log/argus/argus.log -F
> > > > /etc/argus.conf -c /var/run/argus.pid
> > > > argus[26085]: started
> > > > babbage:~# 1
> > > > 6 0 0 96
> > > > 
> > > > >    In the /var/log/messages file, you should see a few
> > > > messages from
> > > > > argus saying if the interfaces are up.  That is the best
> > > > indicator if
> > > > > argus is reading from both interfaces.
> > > > 
> > > > Both interfaces go into promiscuous mode, so I guess it's 
> > working...
> > > > 
> > > > >    Argus handles a lot of encapsulations, and so it should
> > > > deal with
> > > > > VLAN tags well.  It preserves 802.1Q vlan tags in its
> > > > output, so when
> > > > > you read the Argus output with ra(), if the "ind" field has
> > > > a 'q' in
> > > > > it, that's where an 802.1Q tag was seen on the flow.
> > > > 
> > > > Sigh. Sometimes I wonder if I know enough about what I'm
> > > > talking about to be able to ask the right questions...
> > > > 
> > > > I've got a Cisco 2924XL switch setup with a monitor port
> > > > monitoring the trunk port (which has all the stuff I want to 
> > > > be able to account for running over it).
> > > > 
> > > > Problem is, it's all VLAN tagged. If I do a tcpdump, I can't
> > > > see anything too legible. If I do a tcpdump to a file and run 
> > > > Ethereal over it, it doesn't tell me much either. Lots of 
> > > > Link-Layer Control packets. Argus shows a bit of stuff, but 
> > > > not the amounts of HTTP traffic that I'd expect to be seeing, 
> > > > and lots of LLC records.
> > > > 
> > > > I think the crux of the problem lies with the switch
> > > > configuration at this stage.
> > > > 
> > > > >    If you're having any problems, don't hesitate to send
> > > > mail to the
> > > > > list!!!!
> > > > 
> > > > Here I am (again, more, still) :-)
> > > > 
> > > > 
> > > 
> > > 
> > 
> 
> 
>

More information about the argus mailing list