Using tcpdump input

Carter Bullard carter at qosient.com
Mon Mar 31 08:32:25 EST 2003 

Hey Andrew,
  This looks an awful lot like double counting, so I would
suggest eliminating that as a possibility, using the
strategies that I sent earlier.  Remember, you can have
argus log the packets that it receives to a file,
by turning on the ARGUS_PACKET_CAPTURE_FILE variable.
By turning down the volume a bit, you could use this
to determine if your getting two copies of the same
packet.

Carter



> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Andrew Pollock
> Sent: Sunday, March 30, 2003 8:51 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Re: Using tcpdump input
> 
> 
> On Thu, Mar 27, 2003 at 05:01:44PM +1000, Andrew Pollock wrote:
> > On Wed, Mar 26, 2003 at 07:55:56PM -0500, Carter Bullard wrote:
> > > Hey Andrew,
> > >    Great!  It seems that everyone has to do this at some
> > > point.  If you have any problems, or interesting results,
> > > don't hesitate to send mail.
> > 
> > Interesting results time.
> > 
> > We setup three boxes and a Cisco switch like so:
> > 
> > +-------+       +-------+        +-----+
> > |lettuce|-------|Switch |--------|onion|
> > +-------+       +-------+        +-----+
> >                     |
> >                     |
> >                 +-------+
> >                 |rhubarb|
> >                 +-------+
> > 
> 
> More on this scenario...
> 
> In today's testing, we ran Argus and tcpdump side by side.
> Tcpdump logged to a tmpfs filesystem, so there was no disk I/O
> and was only logging the first 100 bytes.
> 
> We again used (native) rsync to transfer a 1GB file from onion
> to lettuce. The tcpdump, converted to an Argus log showed about 1.1GB 
> of data received by lettuce, whereas the native Argus log showed more
> like 2.2GB.
> 
> This was with the eepro100 Ethernet driver and the e100 
> Ethernet driver.
> 
> The strange thing is, last week we were getting Argus to report 1GB,
> and tcpdump showed about half that. Now both sets of figures 
> seemed to have
> doubled. The only major difference was that last week we were 
> running tcpdumps 
> with a snaplength of 0, so it was trying to log the entire 
> packet, which would
> have increased the I/O on the box.
> 
> Anyone got any further thoughts?
> 
> Andrew
>

More information about the argus mailing list