Using tcpdump input
Andrew Pollock
andrew-argus at andrew.net.au
Mon Mar 31 21:32:42 EST 2003
On Tue, Mar 25, 2003 at 08:33:37AM -0500, Carter Bullard wrote:
>
> The type of argus configurations that can cause double
> counting generally are those where argus opens the same
> interface twice, or in a router and the 'any' interface
> was used. This can happen accidentally if you read multiple
> argus.conf files, where both have an interface definition.
> If you run argus normally with the "-F conf" option, remove
> the option and see if argus is still getting packets.
> That is a sure sign of a problem.
We've run Argus by hand without a -F option, and are still seeing double
with Argus natively than what it is seeing with tcpdump input. We're
running Argus (and tcpdump) on a box that is attached to a switch's span
port.
> Hope this helps to solve your dilemma.
Dilemma persists. Hair is thinning.
More information about the argus
mailing list