Using tcpdump input

Andrew Pollock andrew-argus at andrew.net.au
Mon Mar 31 03:20:36 EST 2003


On Sun, Mar 30, 2003 at 07:39:09PM -0800, Peter Van Epp wrote:
> 	Try a small (~ 100 packets or less) transfer where you can compare
> each packet in both tcpdump and argus with what was sent would be my suggestion.
> I'd also be tempted to try using tcpreplay out of one machine in to the other
> to eliminate the span port on the switch from the equation initially as well.
> Once you understand what happens at small volumes (where it is feasable to 
> examine every packet) then move up to big files.

We've run Argus on one of the two hosts that participated in the rsync,
using a 1 MB file eliminating the span port. The results were the same.

Judging from your other email, it seems like we're not alone here. Anyone 
else feel like doing some independent testing in a controlled environment?

Do you think the problem is with the Argus server or the Argus client
reading the Argus log?

Andrew



More information about the argus mailing list