Using tcpdump input

Carter Bullard carter at qosient.com
Tue Mar 25 08:33:37 EST 2003


Hey Andrew,
   No you can use tcpdump, and the counts should be
close.  The fact that the record numbers are close
suggest that either tcpdump is dropping packets
or argus is double counting, so you will need
to investigate.

   Detecting tcpdump packet loss is not always easy,
but it does happen a lot when tcpdump() is capturing
at high load and writing its output to disk.  It also
happens a lot when there are multiple applications
reading the same packet stream.   One way to test is
to filter tcpdump() input, and then compare the totals
using ra with the same filter.  Get a count of say DNS
traffic from your current packet collecting strategy and
verify that tcpdump and argus are not in agreement, and
then put a filter on tcpdump for only DNS, and see if
the numbers from both systems don't start to converge.

   When argus double counts, it is because the underlying
packet capture mechanisms generate duplicates.  I see this
with poorly written ATM drivers, and it is pretty
obvious to detect.  You tend to get two records of every
transaction, where all the identifiers are all the same.
Since your seeing that the record counts are similar, then
we may be able to exclude that.  When argus is in a router,
and it opens multiple interfaces, double counting can occur
and you can get double packet reporting in the same record.
This is easy to see as simple transactions like DNS and NTP
end up with 2 packets in and out, which is not reasonable.
When TCP encounters duplicate packets you always see '*'
in the status field, indicating retransmissions in both
directions which also shouldn't happen all the time.

   The type of argus configurations that can cause double
counting generally are those where argus opens the same
interface twice, or in a router and the 'any' interface
was used.  This can happen accidentally if you read multiple
argus.conf files, where both have an interface definition.
If you run argus normally with the "-F conf" option, remove
the option and see if argus is still getting packets.
That is a sure sign of a problem.

   Hope this helps to solve your dilemma.

Carter



> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Andrew Pollock
> Sent: Monday, March 24, 2003 10:22 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Using tcpdump input
> 
> 
> Hi,
> 
> I'm running tcpdump packet captures at the same points of my 
> network that 
> I run Argus, and so I grabbed a day's worth of tcpdumps and ran them 
> through argus and then compared that with a day's worth of natively 
> generated Argus logs.
> 
> I've found the difference quite unusual, the record counts 
> come out close 
> (+/- 10,000) yet the packet and byte counts come out around 
> 50% less for a 
> tcpdump than for a native Argus log.
> 
> The tcpdumps are all captured with a snap length of 100 bytes.
> 
> I would have thought that I'd get identical results? Or can 
> you not use 
> tcpdumps as input?
> 
> Andrew
> 





More information about the argus mailing list