Using tcpdump input

[Carter Bullard]

Hey Andrew,
   Great!  It seems that everyone has to do this at some
point.  If you have any problems, or interesting results,
don't hesitate to send mail.

Carter


> -----Original Message-----
> From: Andrew Pollock [mailto:andrew-argus at andrew.net.au] 
> Sent: Wednesday, March 26, 2003 7:35 PM
> To: Carter Bullard
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: Using tcpdump input
> 
> 
> Hey Carter,
> 
> Thanks for the info. We're setting up a test bed to test 
> Argus against 
> tcpdump, some switch interface accounting stuff and I think 
> Netramet in a 
> controlled environment.
> 
> Andrew
> 
> On Tue, Mar 25, 2003 at 08:33:37AM -0500, Carter Bullard wrote:
> > Hey Andrew,
> >    No you can use tcpdump, and the counts should be
> > close.  The fact that the record numbers are close
> > suggest that either tcpdump is dropping packets
> > or argus is double counting, so you will need
> > to investigate.
> > 
> >    Detecting tcpdump packet loss is not always easy,
> > but it does happen a lot when tcpdump() is capturing
> > at high load and writing its output to disk.  It also
> > happens a lot when there are multiple applications
> > reading the same packet stream.   One way to test is
> > to filter tcpdump() input, and then compare the totals
> > using ra with the same filter.  Get a count of say DNS
> > traffic from your current packet collecting strategy and
> > verify that tcpdump and argus are not in agreement, and
> > then put a filter on tcpdump for only DNS, and see if
> > the numbers from both systems don't start to converge.
> > 
> >    When argus double counts, it is because the underlying
> > packet capture mechanisms generate duplicates.  I see this
> > with poorly written ATM drivers, and it is pretty
> > obvious to detect.  You tend to get two records of every
> > transaction, where all the identifiers are all the same.
> > Since your seeing that the record counts are similar, then
> > we may be able to exclude that.  When argus is in a router,
> > and it opens multiple interfaces, double counting can occur
> > and you can get double packet reporting in the same record.
> > This is easy to see as simple transactions like DNS and NTP
> > end up with 2 packets in and out, which is not reasonable.
> > When TCP encounters duplicate packets you always see '*'
> > in the status field, indicating retransmissions in both
> > directions which also shouldn't happen all the time.
> > 
> >    The type of argus configurations that can cause double
> > counting generally are those where argus opens the same
> > interface twice, or in a router and the 'any' interface
> > was used.  This can happen accidentally if you read multiple
> > argus.conf files, where both have an interface definition.
> > If you run argus normally with the "-F conf" option, remove
> > the option and see if argus is still getting packets.
> > That is a sure sign of a problem.
> > 
> >    Hope this helps to solve your dilemma.
> > 
> > Carter
> > 
> > 
> > 
> > > -----Original Message-----
> > > From: owner-argus-info at lists.andrew.cmu.edu 
> > > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> > > Andrew Pollock
> > > Sent: Monday, March 24, 2003 10:22 PM
> > > To: argus-info at lists.andrew.cmu.edu
> > > Subject: Using tcpdump input
> > > 
> > > 
> > > Hi,
> > > 
> > > I'm running tcpdump packet captures at the same points of my 
> > > network that 
> > > I run Argus, and so I grabbed a day's worth of tcpdumps 
> and ran them 
> > > through argus and then compared that with a day's worth 
> of natively 
> > > generated Argus logs.
> > > 
> > > I've found the difference quite unusual, the record counts 
> > > come out close 
> > > (+/- 10,000) yet the packet and byte counts come out around 
> > > 50% less for a 
> > > tcpdump than for a native Argus log.
> > > 
> > > The tcpdumps are all captured with a snap length of 100 bytes.
> > > 
> > > I would have thought that I'd get identical results? Or can 
> > > you not use 
> > > tcpdumps as input?
> > > 
> > > Andrew
> > > 
> > 
>