[ARGUS] Peculiar cross platform argus/ra non-interoperability
Joe Christy
joe at eshu.net
Sun Aug 8 13:37:21 EDT 2004
After an upgrade to a FreeBSD gateway, I've started seeing the following
weird problem.
Gateway: FreeBSD-4-STABLE (4.10 w/ rolling updates as of 2004-08-04),
argus{,-clients}-2.0.6.fixes.1, runs argus w/ ARGUS_ACCESS_PORT=561 &
ARGUS_BIND_IP=172.24.4.1
Monitoring Station: Fedora Core 2 Linux, argus{,-clients}-2.0.6.fixes.1,
built from source.
On the Gateway, argus is happily writing to /var/log/argus/argus.out,
and ra -a -S 172.24.4.1:561 tracks traffic in real time, as it should.
So, it looks like the argus server is OK
For the past two years, through earlier versions of FreeBSD, Linux, and
argus{,-clients}, I've successfully been running ra -S 172.24.4.1:561
-w/var/log/argus/gateway-argus.out to capture the argus data securely on
an Internet-inaccessable Monitoring Station. Since upgrading FreeBSD
last week, this always returns immediately:
moby(joe) ra -a -S 172.24.4.1
No data seen.
Now, I can run argus on the Monitoring Station and use ra there to
connect to its own bound IP and track traffic successfully, and I can
read a copy of the Gateway's locally written /var/log/argus/argus.out,
so it looks like the ra client is OK. I can even connect to the
Gateway's port 561 from the monitoring station with nc, and receive a
stream of unintelligble (to me at least) binary data, so the network
connection between the Monitoring Station and the Gateway's port 561 is
passing data. Nonetheless, the ra client on the Monitoring Station
steadfastly refuses to admit that it is seeing any data from argus on
the Gateway. Sigh.
Has anyone else seen this sort of behavior? Any ideas on a fix?
Joe
More information about the argus
mailing list