Argus and MTP

Peter Van Epp vanepp at sfu.ca
Mon Jan 9 15:53:13 EST 2006 

On Mon, Jan 09, 2006 at 11:59:43AM +0000, Patrick Green wrote:
> Hi,
> 
> Has anyone had any experience of running Argus on top of Metanetworks  
> MTP cards?

	No, but I won't let that stop me :-)

> 
> We have been running some tests, on Fedora (customised kernel 2.6.11)  
> with Argus Version 2.0.6, and an MTP card (www.metanetworks.org).
> 
> If we run an nmap against a machine on the network, I can see the  
> traffic using TCPdump (so the card is picking it up and forwarding it  
> to the OS), but argus doesnt seem to pick the traffic up - at best it  
> sees about four packets ... has anyone else seen this / something  
> obvious I should try?

	Sounds like tcpdump and argus are getting different copies of libpcap.
If tcpdump sees the traffic argus should if it is connecting to the same
libpcap device. First things I'd try would be: capture some traffic to a file
with tcpdump then feed the tcpdump file though argus and see that the argus
installation works when it gets traffic. If that works then things get ugly
because you will need to figure out what libpcap the tcpdump is using and make
sure it is the same one that argus is using. You may need to resort to putting
syslog calls (or figure out kernel logging which I never did :-)) in the libpcap
part of the kernel to tell you if the traffic is getting as far as the pcap
buffer. I've done this (to figure out why the FreeBSD libpcap used to lose 
packets) but haven't on Linux so far (although thats probably on the list).
I am intending on converting my sensors to Linix because the ring buffer code
(www.ntop.org) works much better than standard libpcap with high traffic volumes
and that is probably where you want to end up. It would probably also be useful
to touch .devel and .debug in the argus source directory and then redo configure
and recompile. You can then use the -D (number) flag to get argus debug 
information. Looking at the argus man records would also be instructive, they
have number of packets received and dropped (both from libpcap as I recall)
which would tell you if the packets are getting as far as argus (which it 
doesn't sound like they are ...) via pcap.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list