[PATCH] TcpRtt support in ragraph

Tomoyuki Sakurai cherry at trombik.org
Tue Aug 26 12:10:38 EDT 2008


On Tue, Aug 26, 2008 at 08:56:50AM -0400, Carter Bullard wrote:
> 
> Any idea how to get packets before they make it to the pf?  Nice to get
> the protection offered by "TCP SYN Proxy" or the "Spoofed Packet
> Blocking", but it would be nice to monitor the packets before the
> pf does stuff to them?

In my network, synproxy is done on the external interface, while argus
is watching packets on the internal interface.

In theory, I beleive argus can see raw traffic if configured to monitor
on the external interface (I might be wrong). But, unfortunately, argus
cannot see packets on the external interface because OpenBSD uses
different DLT_* value (DLT_LOOP == 12) for PPPoE from the one argus is
using. There's no standard to define DLT_* value in bpf.h.

The most simple workaround is using a TAP in front of OpenBSD. This is
not only for workaround, but for performance, IMO. Also, you will not
suffer the problem like I encounter this time.

> Hope all is most excellent, and I'm glad argus is working for you.
 
argus 3.x is much better than 2.x for me (especially graphing and IPv6).
I just wish more documentation were available.

-- 
Tomoyuki Sakurai



More information about the argus mailing list