Using tcpdump input
Andrew Pollock
andrew-argus at andrew.net.au
Mon Mar 31 23:27:05 EST 2003
On Tue, Apr 01, 2003 at 01:58:30PM +1000, Andrew Pollock wrote:
> On Mon, Mar 31, 2003 at 10:26:05PM -0500, Carter Bullard wrote:
> > More than likely, argus is opening whatever
> > interface twice. This is not impossible,
> > so the solution will be in understanding how argus
> > is being called and the contents of your argus.conf
> > file. One quick approach is to run argus with
> > the -X option as the first option on the command
> > line. If this resolves the problem the it will
> > be straight forward.
>
> Now we're making some progress. I get identical results.
> Soooo.... How come Argus under normal operations is opening the interface
> twice?
>
> I've got eth1 in the /etc/argus.conf, and argus is invoked with a -F
> /etc/argus.conf and not with a -i
Furthermore, the blurb in /etc/argus.conf says:
#-----------------------------------------------------------------------------#
# By default, Argus will open the first appropriate interface on a
# system that it encounters. For systems that have only one network
# interface, this is a reasonable thing to do. But, when there are
# more than one interface suitable interface, you may want to specify
# which interface(s) Argus should read data from.
#
# Argus can read packets from multiple interfaces at the same time,
# although this is limited to 2 interfaces at this time.
ARGUS_INTERFACE=eth1
So does this render the ARGUS_INTERFACE configuration option obsolete in
most circumstances? Is Argus internally deciding eth1 looks good to open,
and then I'm explicitly telling it to open eth1, hence my conundrum?
Andrew
More information about the argus
mailing list