Capture Filter Not Working

[Eric]

On Tue, 2003-07-15 at 18:57:02 -0700, Peter Van Epp proclaimed...

> 	Actually I'd recommend argus-2.0.6.beta.9.tar.gz and 
> argus-clients-2.0.6.beta.40.tar.gz at the moment. Beta.10 and beta.41 have some
> issues on the BSDs at the moment (although they should be clear soon we hope,
> because they have been identified this afternoon).

I ended up upgrading to 2.0.6b9

Seems like the issue is working now (being able to filter out
packets). So basically, under FreeBSD 5.1 and OpenBSD 3.3, the
ARGUS_PACKET_FILTER, and any other command line filtering, appears
to be broken. I think this was true for Linux 2.4.x as well (a
reason we moved to FreeBSD -- besides the political reasons).

Should I issue a bug report through argusbug or is this good
enough?

> 	I assume you already know that you should sysctl the BPF buffer as 
> large as it will go (32K if I remember the code correctly) to avoid packet
> loss in bpf. This will show up as lost packets in the man lines in the 
> argus output (that is being reported by libpcap from bpf.c in the kernel).
> On OpenBsd you may also want to check that the bpf patch thats in FreeBSD
> has migrated across, otherwise you can lose partial buffers on shutdown.

Thanks. :)

> 	Carter also commented some time ago that dual interfaces take a 
> performance penalty in select. I'm in the process of moving from FreeBSD to
> Linux (partly because FreeBsd has trouble on my dual Athelon box for the 
> Gig links) and using George Becker's channel bonding interface to bind two
> interfaces in to a singe interface to bpf. Haven't yet gotten to performance
> testing it however.

Lemme know how this goes; is there an archive of tihs list
somewhere to poke around?

Thanks.

- Eric