Capture Filter Not Working

Peter Van Epp vanepp at sfu.ca
Wed Jul 16 11:26:13 EDT 2003 

	While Carter will know for sure, I have some recollection that this
is why we are working on 2.0.6, I think someone else already found this 
problem. I don't filter anything on my link so I didn't run in to it (and 
didn't test for it when checking the various BSDs on 2.0.5 either).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

On Tue, Jul 15, 2003 at 11:59:47PM -0500, Eric wrote:
> On Tue, 2003-07-15 at 18:57:02 -0700, Peter Van Epp proclaimed...
> 
> > 	Actually I'd recommend argus-2.0.6.beta.9.tar.gz and 
> > argus-clients-2.0.6.beta.40.tar.gz at the moment. Beta.10 and beta.41 have some
> > issues on the BSDs at the moment (although they should be clear soon we hope,
> > because they have been identified this afternoon).
> 
> I ended up upgrading to 2.0.6b9
> 
> Seems like the issue is working now (being able to filter out
> packets). So basically, under FreeBSD 5.1 and OpenBSD 3.3, the
> ARGUS_PACKET_FILTER, and any other command line filtering, appears
> to be broken. I think this was true for Linux 2.4.x as well (a
> reason we moved to FreeBSD -- besides the political reasons).
> 
> Should I issue a bug report through argusbug or is this good
> enough?
> 
> > 	I assume you already know that you should sysctl the BPF buffer as 
> > large as it will go (32K if I remember the code correctly) to avoid packet
> > loss in bpf. This will show up as lost packets in the man lines in the 
> > argus output (that is being reported by libpcap from bpf.c in the kernel).
> > On OpenBsd you may also want to check that the bpf patch thats in FreeBSD
> > has migrated across, otherwise you can lose partial buffers on shutdown.
> 
> Thanks. :)
> 
> > 	Carter also commented some time ago that dual interfaces take a 
> > performance penalty in select. I'm in the process of moving from FreeBSD to
> > Linux (partly because FreeBsd has trouble on my dual Athelon box for the 
> > Gig links) and using George Becker's channel bonding interface to bind two
> > interfaces in to a singe interface to bpf. Haven't yet gotten to performance
> > testing it however.
> 
> Lemme know how this goes; is there an archive of tihs list
> somewhere to poke around?
> 
> Thanks.
> 
> - Eric

More information about the argus mailing list