The double-counting saga

Dave Plonka plonka at doit.wisc.edu
Thu May 8 16:50:38 EDT 2003 

Argus users,

I think we just discovered another way to elicit the double counting
issue that Andrew described (below).  We found that our argus would
sometimes double-count as well.  We discovered that we had two
administrators, one who liked to start argus as just:

   # argus

having it read the default "/etc/argus.conf" file, which specified
"eth1", and the other that liked to start argus like this:

   # argus -i eth1

It seems that in that latter case, if both the default config file and
the command line specify the same interface:

   # Argus can read packets from multiple interfaces at the same time,
   # although this is limited to 2 interfaces at this time.  Specify
   # this in this file with multiple ARGUS_INTERFACE directives.
   # 
   # Commandline equivalent   -i
   # 
   ARGUS_INTERFACE=eth1

then the pkt/byte counts will be doubled in the argus flows records.
(It's relatively easy to spot because all the flows in a given file
have even numbers as pkt/byte counts.)

Perhaps in some future release, it can be changed to not open any
interface more than once?  (Is there any legitimate reason to want to
process traffic on the same interface more than once?  If so, perhaps
some sort of "-f" (force) option could be used to indicate that one
really wants this.)

Dave

P.S. In answer to Andrew's question about how to fix it, if you can
tolerate changing to a different file format, its possible to adjust the
counts like this:

   $ flowdumper -Re '($pkts /= 2) && ($bytes /= 2)' argus.out > argus.cflow

The resulting file will be in cflowd's format, which can be displayed
and reported on using flowdumper (http://net.doit.wisc.edu/~plonka/Cflow/),
flowdump (from cflowd), or any of the many flow-tools reporting commands
(in combination with flow-import): http://www.splintered.net/sw/flow-tools/

On Tue, Apr 01, 2003 at 02:45:12PM +1000, Andrew Pollock wrote:
> Sigh.
> 
> We have gotten to the bottom of the problem, it would seem.
> 
> The problem would appear to be specific to Debian's Argus implementation
> (predating my maintenance of the packages) whereby the /etc/init.d/argus
> script is invoking Argus with a -F /etc/argus.conf, but Argus is also
> compiled with /etc/argus.conf as it's config file, so it's essentially
> reading the configuration twice, once implicitly and once explicitly,
> hence it opens the specified interface twice, and counts everything twice.
> 
> Is there an easy way to remove duplicates from existing Argus logs?

-- 
plonka at doit.wisc.edu  http://net.doit.wisc.edu/~plonka  ARS:N9HZF  Madison, WI

More information about the argus mailing list