Using tcpdump input

Andrew Pollock andrew-argus at andrew.net.au
Wed Mar 26 19:35:25 EST 2003 

Hey Carter,

Thanks for the info. We're setting up a test bed to test Argus against 
tcpdump, some switch interface accounting stuff and I think Netramet in a 
controlled environment.

Andrew

On Tue, Mar 25, 2003 at 08:33:37AM -0500, Carter Bullard wrote:
> Hey Andrew,
>    No you can use tcpdump, and the counts should be
> close.  The fact that the record numbers are close
> suggest that either tcpdump is dropping packets
> or argus is double counting, so you will need
> to investigate.
> 
>    Detecting tcpdump packet loss is not always easy,
> but it does happen a lot when tcpdump() is capturing
> at high load and writing its output to disk.  It also
> happens a lot when there are multiple applications
> reading the same packet stream.   One way to test is
> to filter tcpdump() input, and then compare the totals
> using ra with the same filter.  Get a count of say DNS
> traffic from your current packet collecting strategy and
> verify that tcpdump and argus are not in agreement, and
> then put a filter on tcpdump for only DNS, and see if
> the numbers from both systems don't start to converge.
> 
>    When argus double counts, it is because the underlying
> packet capture mechanisms generate duplicates.  I see this
> with poorly written ATM drivers, and it is pretty
> obvious to detect.  You tend to get two records of every
> transaction, where all the identifiers are all the same.
> Since your seeing that the record counts are similar, then
> we may be able to exclude that.  When argus is in a router,
> and it opens multiple interfaces, double counting can occur
> and you can get double packet reporting in the same record.
> This is easy to see as simple transactions like DNS and NTP
> end up with 2 packets in and out, which is not reasonable.
> When TCP encounters duplicate packets you always see '*'
> in the status field, indicating retransmissions in both
> directions which also shouldn't happen all the time.
> 
>    The type of argus configurations that can cause double
> counting generally are those where argus opens the same
> interface twice, or in a router and the 'any' interface
> was used.  This can happen accidentally if you read multiple
> argus.conf files, where both have an interface definition.
> If you run argus normally with the "-F conf" option, remove
> the option and see if argus is still getting packets.
> That is a sure sign of a problem.
> 
>    Hope this helps to solve your dilemma.
> 
> Carter
> 
> 
> 
> > -----Original Message-----
> > From: owner-argus-info at lists.andrew.cmu.edu 
> > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> > Andrew Pollock
> > Sent: Monday, March 24, 2003 10:22 PM
> > To: argus-info at lists.andrew.cmu.edu
> > Subject: Using tcpdump input
> > 
> > 
> > Hi,
> > 
> > I'm running tcpdump packet captures at the same points of my 
> > network that 
> > I run Argus, and so I grabbed a day's worth of tcpdumps and ran them 
> > through argus and then compared that with a day's worth of natively 
> > generated Argus logs.
> > 
> > I've found the difference quite unusual, the record counts 
> > come out close 
> > (+/- 10,000) yet the packet and byte counts come out around 
> > 50% less for a 
> > tcpdump than for a native Argus log.
> > 
> > The tcpdumps are all captured with a snap length of 100 bytes.
> > 
> > I would have thought that I'd get identical results? Or can 
> > you not use 
> > tcpdumps as input?
> > 
> > Andrew
> > 
>

More information about the argus mailing list