[ARGUS] argus 2.0.5 and 2.0.6 ArgusCalloc problems on OpenBSD 3.5
Peter Van Epp
vanepp at sfu.ca
Mon May 10 12:44:39 EDT 2004
On Mon, May 10, 2004 at 09:49:26AM -0600, Richard Johnson wrote:
> At 09:14 -0400 on 2004-05-10, Carter Bullard wrote:
> > Hey Richard,
> > This is a new one for me, although it may be related
> > to an earlier reported problem with ra* programs and
> > FreeBSD, which I've included below.
>
>
> Indeed, problem solved. My difficulty was actually bad assumptions on my
> part, and I haven't yet had to tweak the test box's kernel.
>
> It turns out that the particular fiber I'm sniffing on contains far more
> than what's supposed to be on that span. It was supposed to be just a few
> dozen dialup users' traffic, but now contains a rather loaded internal net
> instead.
>
That was going to be my first question since sk implies a gig interface
how much traffic are you seeing :-). Note if you want/need to sniff at high
speed running argus on a sensor machine writing to a socket to over the network
to another machine that listens with ra and writes the data to disk is the
accepted way of doing it. Writing to disk on the sensor machine causes packet
loss (probably because of DMA issues).
There is also still a bug in the OpenBSD bpf code which will fail to
flush the incomplete buffer to argus on a timer interrupt which means that it
will lose the last buffer on a shutdown (Theo looked at the fix, but declined
to install it). If you just cycle the argus.out file and don't shut down and/or
be busy enough to regularly fill the buffer it shouldn't matter.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list