ArgusInterface timestamps wayyy out of order

Carter Bullard carter at qosient.com
Mon Apr 14 09:48:49 EDT 2008 

Hey Harry,
Peter is right about the interrupts, and that will cause some headaches.
This may not be that problem though, since the swings in timestamps are
so large.  The ArgusWarnings are definately saying something is up,
but these are not argus "killing" events., and it could be that the  
warnings
are mis-calculating the delta time........

So, do you have argus() opening 2 interfaces at a time, reading from two
independent packet capture cards?  Do you get to these cards through
libpcap?  Any chance you can capture using libpcap to see if you get  
weird
timestamps in packets?

If the difference in timestamp values really are that huge, I would  
suspect
that one of the cards, is passing up garbage, or its buffers are being
corrupted.

I'ld recommend using gdb() to stop where the ArgusWarning() is being
to see what the packets look like, or at least what the timestamps look
like.  That may give us all the info we need for the next step.
Send email if you're unfamiliar with gdb() or debugging live programs.

Carter


On Apr 13, 2008, at 10:44 AM, Harry Hoffman wrote:

> Hi,
>
> So, I just setup a fbsd 7.0 box (ibm x335 dual PIV/2GB RAM/2x73GB  
> HDs).
> The box is ntp sync'd and I've got two 1GB fiber cards, setup as a
> netgraph device, going into a NetOptics tap that sits in btwn our  
> border
> router.
>
> Argus keeps dying in daemon mode so I ran it in the foreground and see
> the following errors:
>
>  ArgusWarning: argus[11889]: 12 Apr 08 21:59:10.100962 started
>  ArgusWarning: argus[11889]: 12 Apr 08 21:59:10.101208
> ArgusGetInterfaceStatus: interface ngeth0 is up
>  ArgusWarning: argus[11889]: 12 Apr 08 22:03:38.881062 ArgusInterface
> timestamps wayyy out of order: now -93781688 then 1208052218
>  ArgusWarning: argus[11889]: 12 Apr 08 22:04:35.004380 ArgusInterface
> timestamps wayyy out of order: now 845807944 then 1208052274
>  ArgusWarning: argus[11889]: 12 Apr 08 22:08:08.653032 ArgusInterface
> timestamps wayyy out of order: now 141230408 then 1208052488
>  ArgusWarning: argus[11889]: 12 Apr 08 22:10:27.178813 ArgusInterface
> timestamps wayyy out of order: now -1821703864 then 1208052627
>  ArgusWarning: argus[11889]: 12 Apr 08 22:12:47.256416 ArgusInterface
> timestamps wayyy out of order: now 527171912 then 1208052767
>  ArgusWarning: argus[11889]: 12 Apr 08 22:14:31.224113 ArgusInterface
> timestamps wayyy out of order: now -2022964920 then 1208052871
>
> Google isn't being much help on this one. Any pointers as how to fix
> this?
>
> Cheers,
> Harry
>
>
>
>

More information about the argus mailing list