Using tcpdump input
Andrew Pollock
andrew-argus at andrew.net.au
Mon Mar 31 20:09:50 EST 2003
On Mon, Mar 31, 2003 at 08:32:25AM -0500, Carter Bullard wrote:
> Hey Andrew,
> This looks an awful lot like double counting, so I would
> suggest eliminating that as a possibility, using the
> strategies that I sent earlier. Remember, you can have
> argus log the packets that it receives to a file,
> by turning on the ARGUS_PACKET_CAPTURE_FILE variable.
> By turning down the volume a bit, you could use this
> to determine if your getting two copies of the same
> packet.
Carter, we've run Argus with a capture file specified, and sure enough
we're seeing every packet twice, so it is double counting. Revisiting your
previous email on double counting, I don't think anything applies. A
tcpdump on the same interface isn't seeing the packets twice.
Andrew
More information about the argus
mailing list