debugging argus on tun interface

[Peter Van Epp]

<snip>
> argus[23533]: 23 Feb 06 21:10:20 ArgusNewQueue () returning 0x81fd2080
> argus[23533]: 23 Feb 06 21:10:20 ArgusInitModeler(): ArgusHashArray  
> 0x8a1bf000
> argus[23533]: 23 Feb 06 21:10:20 ArgusGetPackets () returning
> argus[23533]: 23 Feb 06 21:10:20 ArgusLoop() returning
> argus[23533]: 23 Feb 06 21:10:20 main() shuting down
> 
> 
> this is where I'm not really sure what to do next. any thoughts?
> 
> poncenby

	Indeed looks like libpcap isn't managing to open the tun device 
successfully. I expect you are hitting this !found in server/ArgusSource.c:

            for (i = 0; i < ARGUS_MAXINTERFACE; i++)
               if (ArgusPd[i]) {
                  if (pcap_fileno(ArgusPd[i]) >= 0) {
                     found ++;
                     FD_SET(pcap_fileno(ArgusPd[i]), &ArgusReadMask);
                     if (width < pcap_fileno(ArgusPd[i]))
                        width = pcap_fileno(ArgusPd[i]);
                  }
               }

            if (!found)
               break;

which exits and causes the shutdown. Trying tcpdump on the same interface would
be the first thing to try, then you may be in to grepping kernel source to see
if the tun driver has bpf support :-) if tcpdump can't see the interface either
:-).  There was a libpcap error message higher in this code that you didn't 
seem to hit so I have some suspicion that the tun device may not support 
bpf may be the problem here (if so tcpdump shouldn't work either).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada