Using tcpdump input
Carter Bullard
carter at qosient.com
Mon Mar 31 22:26:05 EST 2003
More than likely, argus is opening whatever
interface twice. This is not impossible,
so the solution will be in understanding how argus
is being called and the contents of your argus.conf
file. One quick approach is to run argus with
the -X option as the first option on the command
line. If this resolves the problem the it will
be straight forward.
Carter
> -----Original Message-----
> From: Andrew Pollock [mailto:andrew-argus at andrew.net.au]
> Sent: Monday, March 31, 2003 8:10 PM
> To: Carter Bullard
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: Using tcpdump input
>
>
> On Mon, Mar 31, 2003 at 08:32:25AM -0500, Carter Bullard wrote:
> > Hey Andrew,
> > This looks an awful lot like double counting, so I would
> > suggest eliminating that as a possibility, using the
> > strategies that I sent earlier. Remember, you can have
> > argus log the packets that it receives to a file,
> > by turning on the ARGUS_PACKET_CAPTURE_FILE variable.
> > By turning down the volume a bit, you could use this
> > to determine if your getting two copies of the same
> > packet.
>
> Carter, we've run Argus with a capture file specified, and sure enough
> we're seeing every packet twice, so it is double counting.
> Revisiting your
> previous email on double counting, I don't think anything applies. A
> tcpdump on the same interface isn't seeing the packets twice.
>
> Andrew
>
More information about the argus
mailing list