Capture Filter Not Working

Peter Van Epp vanepp at sfu.ca
Tue Jul 15 21:57:02 EDT 2003 

	Actually I'd recommend argus-2.0.6.beta.9.tar.gz and 
argus-clients-2.0.6.beta.40.tar.gz at the moment. Beta.10 and beta.41 have some
issues on the BSDs at the moment (although they should be clear soon we hope,
because they have been identified this afternoon).
	I assume you already know that you should sysctl the BPF buffer as 
large as it will go (32K if I remember the code correctly) to avoid packet
loss in bpf. This will show up as lost packets in the man lines in the 
argus output (that is being reported by libpcap from bpf.c in the kernel).
On OpenBsd you may also want to check that the bpf patch thats in FreeBSD
has migrated across, otherwise you can lose partial buffers on shutdown.
	Carter also commented some time ago that dual interfaces take a 
performance penalty in select. I'm in the process of moving from FreeBSD to
Linux (partly because FreeBsd has trouble on my dual Athelon box for the 
Gig links) and using George Becker's channel bonding interface to bind two
interfaces in to a singe interface to bpf. Haven't yet gotten to performance
testing it however.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



On Tue, Jul 15, 2003 at 06:18:33PM -0400, Carter Bullard wrote:
> Hey Eric,
>    Go to ftp://qosient.com/dev/argus-2.0 and pick up
> the most recent argus and argus-clients there.
> 
> Carter
> 
> 
> 
> > -----Original Message-----
> > From: owner-argus-info at lists.andrew.cmu.edu 
> > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Eric
> > Sent: Tuesday, July 15, 2003 5:44 PM
> > To: Peter Van Epp
> > Cc: argus-info at lists.andrew.cmu.edu
> > Subject: Re: Capture Filter Not Working
> > 
> > 
> > On Tue, 2003-07-15 at 12:06:39 -0700, Peter Van Epp proclaimed...
> > 
> > > 	Hmmm, don't have a 2.0.5 copy handy anymore, but I'd 
> > suggest try it
> > > from the command line. I just did on FreeBSD 4.7 with 
> > 2.0.6.beta.9 and icmp
> > > (no web on the appropiate net unfortunatly). This 
> > connection is also on a
> > > switch (and the Century tap is currently on a Linux box on 
> > the uplink which
> > > isn't a suitable platform for this) so I pinged this machine from 
> > > 142.58.101.25 to create filterable traffic:
> > 
> > Hmmm, ok. So I tried both ARGUS_FILTER="not host 10.6.6.6" and
> > ARGUS_FILTER="tcp dst port 80" and it doesn't work.
> > 
> > Neither does...
> > 
> > /usr/local/sbin/argus -c -d -n /var/run/argus.pid -I 1 -m -P 561 \
> >         -i em0 -i em1 -w /var/log/argus.new.out "not tcp port 80"
> > 
> > The following is what argus yields..
> > 
> > 15 Jul 03 16:40:18    tcp  10.66.50.112.1571   -> 
> > 216.34.209.13.80    RST
> > 15 Jul 03 16:40:18    tcp  10.66.195.47.3357   -> 
> > 207.171.179.30.80    RST
> > 15 Jul 03 16:39:54    tcp   63.144.223.53.3733   -> 
> > 10.66.5.14.80    TIM
> > 15 Jul 03 16:40:01    tcp   80.236.24.136.80     ?> 
> > 10.66.2.18.59615 RST
> > 15 Jul 03 16:40:03    tcp 10.66.131.149.3431   -> 
> > 207.46.196.120.80    TIM
> > 15 Jul 03 16:40:01    tcp   10.66.50.55.2276   ?> 
> > 80.12.137.56.80    FIN
> > 15 Jul 03 16:40:01    tcp   10.66.50.55.2281   ?> 
> > 80.12.137.56.80    FIN
> > 15 Jul 03 16:40:01    tcp   10.66.50.55.2282   ?> 
> > 80.12.137.56.80    FIN
> > 15 Jul 03 16:40:02    tcp  10.66.59.212.2060   -> 
> > 138.12.4.195.80    RST
> > 15 Jul 03 16:40:18    tcp  10.66.74.158.2438   -> 
> > 200.201.192.45.80    RST
> > 15 Jul 03 16:39:52    tcp   10.66.50.55.2220   ?> 
> > 205.188.145.185.80    RST
> > 15 Jul 03 16:40:03    tcp   12.207.159.85.5695   ?> 
> > 10.66.10.21.80    RST
> > 15 Jul 03 16:40:03    tcp  10.66.50.112.1561   -> 
> > 216.34.209.13.80    RST
> > 15 Jul 03 16:39:58    tcp 10.66.171.245.1709   ?> 
> > 216.73.84.71.80    RST
> > 15 Jul 03 16:40:02    tcp   80.236.16.137.80     ?> 
> > 10.66.2.18.59616 RST
> > 15 Jul 03 16:40:02    tcp  207.68.176.250.80     ?> 
> > 10.66.110.126.1263  RST
> > 15 Jul 03 16:40:03    tcp   67.163.44.196.3411   ?> 
> > 10.66.220.35.80    RST
> > 15 Jul 03 16:40:03    tcp  10.66.195.47.3349   -> 
> > 65.243.133.80.80    RST
> > 15 Jul 03 16:40:03    tcp  10.66.183.83.80     ?> 
> > 12.250.222.133.3669  FIN
> > 15 Jul 03 16:40:02    tcp     10.66.1.6.80     ?> 
> > 68.74.122.234.2824  FIN
> > 15 Jul 03 16:40:03    tcp     10.66.1.6.80     ?> 
> > 66.19.49.178.1155  FIN
> > 15 Jul 03 16:40:04    tcp  209.115.237.79.80     ?> 
> > 10.66.195.47.3317  RST
> > 15 Jul 03 16:40:07    tcp    10.66.18.6.51672  -> 
> > 195.134.143.177.80    RST
> > 
> > BTW - I'm watching an OC3c with about 100Mbps sustained -- looking
> > at two intel fiber cards. If I can provide any debugging
> > information please let me know.
> > 
> > - Eric
> > 
> > p.s. You mentioned you're running 2.0.6; where can I grab a 
> > newer release 
> >      of argus to test this with? I didn't know that 2.0.6x was out.
> > 
> > 
>

More information about the argus mailing list