argus vs tcpdumped traffic from FreeBSD tun interface
Mike Patterson
mpatters at cs.uwaterloo.ca
Mon Apr 9 23:07:21 EDT 2007
I'm trying to run argus against some tcpdump traces I grab from my tun
device (PPPoE) on my FreeBSD gateway. I'm reasonably certain I'm doing
things correctly, as argus operates correctly if I use tcpdump traces
captured from fxp0 (my internal network interface), but it dumps core
when I use traces from tun0.
For instance, I'm trying:
tcpdump -i fxp0 -s0 -w /nsm/traces/fullout.lpc
(or -i tun0)
Then:
argus -r fullout.lpc -w $ARGUSHOME/fullout.argus
which dumps core if the trace was captured from tun0.
Am I doing something stupid (this is not meant to work), missing
something (an option?), or have I found something wrong? I'm playing
with a tunnel device at home, and I can work around it by just looking
at all network traffic instead of what goes through the tunnel, but I'd
rather just see traffic that's actually bound for or coming from
addresses external to my home network. I get similar failure modes
using both 2.0.6 (from the FreeBSD ports tree) and 3.0 rc42 (built from
source).
I experimented on a different machine at work with a bridge instead of a
tunnel, and it seems to work just fine (although argus 3.0 seems to
choke on some tcpdump traffic that 2.0.6 is happy with, which seems to
be a separate issue).
Any comments would be appreciated. I can share some tcpdump traces and
core files if anybody wants to see them.
Thanks,
Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070409/5e191c30/attachment.sig>
More information about the argus
mailing list