GRE packets appear to be invisible to Argus 3

Kevin & Leah Branch klkbranch at hotmail.com
Wed Dec 26 22:01:06 EST 2007


Hi,
 
I've used argus 2.0.6 for years and it has been of huge value to me for network diagnostics and network-level forensics.  I 
recently upgraded one of my sites to use argus 3.0.0 and argus-clients-3.0.0.rc.65.  I am quite impressed with the new 
features, especially those in racluster. 
 
I am having an issue with the new version, though.  My argus version 3 does not appear to be creating any records to account for GRE traffic.  As I understand, PPTP VPN tunnel traffic runs primarily across GRE (IP protocol 47) with a control channel on tcp/1723.  While PPTP sessions are operating across my network edge, argus 3 creates records for the tcp/1723 traffic but none for the GRE traffic.  
 
I even captured a bit of traffic between the Internet and my local PPTP server, saving it as a tcpdump capture file pptp.cap.  When I used argus 2 on that data:

~/argus-2.0.6/bin/argus -r pptp.cap -w pptp.arg2
I find both the tcp/1723 and GRE parts of the PPTP session accounted for by ra:

~/argus-clients-2.0.6/bin/ra -r pptp.arg2
 
20 Dec 07 23:23:53           tcp vpn-client.57156  ->  pptp-server.1723  10       10        1124         964         FIN20 Dec 07 23:23:53           gre vpn-client       <->  pptp-server       13       10        1032         794         CON
However, when I use argus 3, 

~/argus-3.0.0/bin/argus -r pptp.cap -w pptp.arg3
I see no accounting for the GRE traffic

~/argus-clients-3.0.0/bin/ra -r pptp.arg2
 
23:23:53.443783  e         tcp       vpn-client.57156     ->     pptp-server.1723         20       2112   FIN
It appears that GRE traffic is effectively invisible to version 3.0.0 of argus while argus 2.0.6 handles it fine.
I've observed this issue on both CentOS 4 and CentOS 5 platforms.  On both platforms, I do a generic compile of the argus-3.0.0 and argus-clients-3.0.0.rc.65 source tarballs.  
About the only distinctive thing about my setup is that I compile both versions of argus against my mmap-enabled libpcap-0.9x.20070323 for higher-performance packet captures.  Since my tcpdump is compiled against the same special libpcap and has no problem capturing GRE packets, and argus 2.0.6 compiled the same way also has no trouble, I presume the special libpcap is not likely the source of the problem.
 
I'm no programmer, but I do notice that the file

./include/argus_gre.h
in the argus-3.0.0 tarball does not appear to be referenced by any other file in the package.  Is there possibly an #include <argus_gre.h> missing somewhere in one of the C source or header files?  I poked around a bit but I really don't see how all the files hang together.  It's been too long since I took that C course in college...
 
Carter or anyone who's more of a coder than I am, what's your take on this???  I'd sure like to get my argus accounting for all my traffic again.
 
Thanks in advance for looking into this,
Kevin
_________________________________________________________________
The best games are on Xbox 360.  Click here for a special offer on an Xbox 360 Console.
http://www.xbox.com/en-US/hardware/wheretobuy/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20071227/88400d81/attachment.html>


More information about the argus mailing list