rc.12 on the server
Carter Bullard
carter at qosient.com
Mon Jun 26 15:34:14 EDT 2006
Well, its working, just not opening or writing the output file.
So, using an argus.conf file, or on the command line, specify
a socket port number (-P 561) and then use the clients to see
if you are writing records out the socket. Probably not a big
deal.
Carter
On Jun 26, 2006, at 3:29 PM, Richard Bejtlich wrote:
> On 6/26/06, Carter Bullard <carter at qosient.com> wrote:
>> Impossible to say, so lets try to figure it out. Easiest to run
>> argus
>> with a low debug number to see what it thinks is going on.
>> If you didn't compile in the debug support we'll need to:
>>
>> % touch .debug
>> % ./configure;make clean;make
>>
>> So, even if there aren't any packets on the interface, argus
>> should generate a management record every 60 seconds,
>> unless you've redefined it in the /etc/argus.conf file, if you
>> installed one.
>>
>> Run argus with say, -D4 and see what it thinks is going on.
>>
>> Carter
>>
>
> Hi Carter,
>
> Here are the results:
>
> Script started on Mon Jun 26 15:20:50 2006
> shuttle:/root# argus -i bge0 -D4 -w /nsm/argus3.arg
> argus[7349]: 26 Jun 06 15:21:08.549640 ArgusDeleteList (0x0) returning
> argus[7349]: 26 Jun 06 15:21:08.549800 ArgusNewList () returning
> 0x649780
> argus[7349]: 26 Jun 06 15:21:08.549912 setArgusInterfaceStatus(1)
> argus[7349]: 26 Jun 06 15:21:08.550147 ArgusInitSource()
> pcap_open_live() returned 0x89f000
> argus[7349]: 26 Jun 06 15:21:08.550190 Arguslookup_pcap_callback(1)
> returning ArgusEtherPacket(): 0x40b9d0
> argus[7349]: 26 Jun 06 15:21:08.550264 ArgusInitSource() returning
> argus[7349]: 26 Jun 06 15:21:08.550280 ArgusNewList () returning
> 0x649980
> argus[7349]: 26 Jun 06 15:21:08.550298 ArgusGenerateInitialMar()
> returning
> argus[7349]: 26 Jun 06 15:21:08.550411 ArgusNewList () returning
> 0x649b80
> argus[7349]: 26 Jun 06 15:21:08.550428 ArgusNewSocket (4) returning
> 0x8ab080
> argus[7349]: 26 Jun 06 15:21:08.550464 ArgusDeleteList (0x0) returning
> argus[7349]: 26 Jun 06 15:21:08.550477 ArgusInitOutput() done
> argus[7349]: 26 Jun 06 15:21:08.550526 ArgusInitModeler() done
> argus[7349]: 26 Jun 06 15:21:08.550539 ArgusGetPackets (0x84c080)
> starting
> argus[7349]: 26 Jun 06 15:21:08.550561 setArgusInterfaceStatus(1)
> argus[7349]: 26 Jun 06 15:21:08.550588 ArgusGetInterfaceStatus:
> interface bge0 is up
> argus[7349]: 26 Jun 06 15:21:08.550703 setArgusInterfaceStatus(1)
> argus[7349]: 26 Jun 06 15:21:08.671069 ArgusNewFlow() returning
> 0x89d880
> argus[7349]: 26 Jun 06 15:21:09.317716 ArgusNewFlow() returning
> 0x8c1080
> argus[7349]: 26 Jun 06 15:21:11.484056 ArgusNewFlow() returning
> 0x8c1880
> argus[7349]: 26 Jun 06 15:21:11.584071 ArgusNewFlow() returning
> 0x8c2080
> argus[7349]: 26 Jun 06 15:21:13.577078 ArgusNewQueue () returning
> 0x649d80
> argus[7349]: 26 Jun 06 15:21:13.577115 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:14.372124 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:16.584154 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:16.584221 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:18.582276 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:19.685332 ArgusNewFlow() returning
> 0x8c2880
> argus[7349]: 26 Jun 06 15:21:19.785349 ArgusNewFlow() returning
> 0x8c3080
> argus[7349]: 26 Jun 06 15:21:19.906352 ArgusNewFlow() returning
> 0x8c3880
> argus[7349]: 26 Jun 06 15:21:20.379383 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:22.873604 ArgusNewFlow() returning
> 0x8c4080
> argus[7349]: 26 Jun 06 15:21:22.973600 ArgusNewFlow() returning
> 0x8c4880
> argus[7349]: 26 Jun 06 15:21:23.587086 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:24.574699 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:24.674712 ArgusNewFlow() returning
> 0x8c5080
> argus[7349]: 26 Jun 06 15:21:24.779721 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:24.779755 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:26.383809 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:26.588821 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:27.782906 ArgusNewFlow() returning
> 0x8c5880
> argus[7349]: 26 Jun 06 15:21:27.803924 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:27.987954 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:28.591961 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:28.990965 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:29.788981 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:31.987020 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:32.397034 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:32.772047 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:32.972065 ArgusNewFlow() returning
> 0x8c6080
> argus[7349]: 26 Jun 06 15:21:32.993070 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:36.588161 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:37.479197 ArgusNewFlow() returning
> 0x8c6880
> argus[7349]: 26 Jun 06 15:21:37.600214 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:38.005227 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:38.189260 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:38.373268 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:42.379334 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:42.584339 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:43.183348 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:44.386377 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:46.576403 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:48.399432 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:50.605511 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:53.372570 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:56.580679 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:56.580726 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:58.372726 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:21:58.987750 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:02.585813 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:03.394835 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:06.577866 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:08.179880
> ArgusGenerateStatusMarRecord(0x89d080, 32) returning 0x89f880
> argus[7349]: 26 Jun 06 15:22:08.400896 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:08.584905 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:13.373927 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:14.581923 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:15.674915 ArgusNewFlow() returning
> 0x8c2880
> argus[7349]: 26 Jun 06 15:22:16.588935 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:16.588974 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:18.379950 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:20.590960 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:20.591000 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:21.933632 ArgusNewFlow() returning
> 0x8c3080
> argus[7349]: 26 Jun 06 15:22:23.582004 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:26.602022 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:26.602068 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:27.007022 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:27.980020 ArgusNewFlow() returning
> 0x8c3880
> argus[7349]: 26 Jun 06 15:22:28.789061 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:28.973060 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:31.982070 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:32.581080 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:32.802087 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:33.991107 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:35.675124 ArgusNewFlow() returning
> 0x8c4080
> argus[7349]: 26 Jun 06 15:22:36.600139 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:38.584151 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:39.183157 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:39.688180 ArgusNewFlow() returning
> 0x8c4880
> argus[7349]: 26 Jun 06 15:22:40.782183 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:44.389198 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:44.573201 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:44.794209 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:45.078207 ArgusNewFlow() returning
> 0x8c5080
> argus[7349]: 26 Jun 06 15:22:45.900812 ArgusNewFlow() returning
> 0x8c5880
> argus[7349]: 26 Jun 06 15:22:46.588241 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:46.972218 ArgusNewFlow() returning
> 0x8c6080
> argus[7349]: 26 Jun 06 15:22:47.926639 ArgusNewFlow() returning
> 0x8c6880
> argus[7349]: 26 Jun 06 15:22:49.391258 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:49.990265 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:50.274279 ArgusNewFlow() returning
> 0x8c7080
> argus[7349]: 26 Jun 06 15:22:50.584277 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:50.973281 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:51.173280 ArgusNewFlow() returning
> 0x8c2880
> argus[7349]: 26 Jun 06 15:22:51.977296 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:52.177294 ArgusNewFlow() returning
> 0x8c7880
> argus[7349]: 26 Jun 06 15:22:52.989321 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:53.173342 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:53.273356 ArgusNewFlow() returning
> 0x8c8080
> argus[7349]: 26 Jun 06 15:22:55.178351 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:56.182357 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:56.571379 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:56.571419 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:57.175387 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:58.189394 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:58.189430 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:22:58.977394 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:23:01.880397 ArgusNewFlow() returning
> 0x8c8880
> argus[7349]: 26 Jun 06 15:23:02.584422 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:23:03.372438 ArgusOutputProcess() output 0
> has 0 queued
> ^Cargus[7349]: 26 Jun 06 15:23:04.095651 ArgusScheduleShutDown(2)
>
> argus[7349]: 26 Jun 06 15:23:04.279470 ArgusShutDown(Normal Shutdown)
>
> argus[7349]: 26 Jun 06 15:23:04.279487 ArgusCloseSource(0x84c080)
> starting
> argus[7349]: 26 Jun 06 15:23:04.279502 ArgusDeleteList (0x649580)
> returning
> argus[7349]: 26 Jun 06 15:23:04.279514 ArgusCloseSource(0x84c080)
> deleting source
> argus[7349]: 26 Jun 06 15:23:04.279541 ArgusDeleteQueue (0x649d80)
> returning
> argus[7349]: 26 Jun 06 15:23:04.279562 ArgusDeleteQueue (0x649380)
> returning
> argus[7349]: 26 Jun 06 15:23:04.279575 ArgusModelerCleanUp ()
> returning
> argus[7349]: 26 Jun 06 15:23:04.279589 ArgusCloseModeler(0x646080)
> argus[7349]: 26 Jun 06 15:23:04.279602 ArgusCloseOutput() scheduling
> closure after writing records
> argus[7349]: 26 Jun 06 15:23:04.279621 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:23:04.279652 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:23:04.279679 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:23:04.279704 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:23:04.279734
> ArgusGenerateStatusMarRecord(0x89d080, 48) returning 0x8bd480
> argus[7349]: 26 Jun 06 15:23:04.279749 ArgusOutputProcess() received
> stop record 0 records on the list
> argus[7349]: 26 Jun 06 15:23:04.279760 ArgusOutputProcess() output 0
> has 0 queued
> argus[7349]: 26 Jun 06 15:23:04.279782 ArgusDeleteList (0x649b80)
> returning
> argus[7349]: 26 Jun 06 15:23:04.279806 ArgusDeleteSocket (0x8ab080)
> returning
> argus[7349]: 26 Jun 06 15:23:04.279819 ArgusCloseOutput() done
> argus: Time 115.729131 Flows 27 Closed 0 Sends 90
> BSends 0 Updates 978 Cache 951
> bge0
> Total Pkts 978 Rate 8.450768
> argus[7349]: 26 Jun 06 15:23:04.279871 ArgusShutDown()
> shuttle:/root# ra -r /nsm/arg�us3.arg ra[7370]: 15:23:14.394423 no
> input files
> shuttle:/root# ^D��exit
>
> Script done on Mon Jun 26 15:23:23 2006
>
> I've also attached the file Argus created.
>
> Thank you,
>
> Richard
> <argus3.arg>
More information about the argus
mailing list