question on argus listenning on 2 interfaces

Lei Wei lwei at cs.unc.edu
Sat Jan 19 13:36:31 EST 2008 

Quoting Carter Bullard <carter at qosient.com>:

> Hey Lei,
>    Did you get a chance to test the new argus-3.0.0.tar.gz on the  server
> to see if it solved your DAG problem?
>
> Carter
>
> On Jan 9, 2008, at 8:42 PM, Lei Wei wrote:
>
>> Hi Peter,
>>
>> Thanks for the help. I did try to use DAG card but I cound't get  
>> Argus working with DAG. I installed the dag-enabled libpcap0.9.8 but 
>>  Argus just can't get any data from it. Do you have any experience  
>> with it? If so, could you give me some instructions on how to  
>> configure argus to recoginize dag card?
>> many thanks~
>>
>> Lei
>>
>> Quoting Peter Van Epp <vanepp at sfu.ca>:
>>
>>> On Wed, Jan 09, 2008 at 06:19:28PM -0500, Lei Wei wrote:
>>>> Hello,
>>>>
>>>> I'm now monitoring the border traffic which has an inbound and an
>>>> outbound link. I'm not sure how argus would treat those two  interfaces
>>>> if specified. I hope that it'll merge the two links and reconstruct
>>>> transactions but I'm not sure of what'd happen. And I also wonder if
>>>> the unidirection and bidirection options play a role in here.
>>>> So any comments?
>>>>
>>>> THanks.
>>>>
>>>> Lei
>>>
>>> 	Two interfaces from a tap works fine (if not optimally) as in
>>>
>>> argus -Jd -P 560 -i eth0 -i eth1
>>>
>>> this will indeed merge the streams most of the time and I've run  like this
>>> for many years. There are issues (which Carter tweaked a while back  in the
>>> 3.0 rcs) when what I think is likely interrupt queuing delivers  
>>> packets out
>>> of order though. So the optimal thing is to run two argi one for  
>>> each interface
>>> and then let racluster merge the two individual streams later (or  
>>> run a DAG
>>> cards which will time stamp all packets on receive by the hardware  which
>>> cures the problem).
>>>
>>> Peter Van Epp / Operations and Technical Support
>>> Simon Fraser University, Burnaby, B.C. Canada
>>>
>>
>>
>>
>


Hey Carter,

I just downloaded and installed the revised version of argus-3 but it 
didn't work. After I typed the command "argus -D 1 -i dag0 -w 
data.out", it gave me the error message:
ArgusError: argus[21318]: 19 Jan 08 13:19:01.146868 ArgusInitSource: 
pcap_setnonblock() failed:
and some junk after it. And later when I typed the command again, it 
just exited and nothing happened like before.

I actually have been using the fix suggested by stephen, i.e. changing
#if defined(CYGWIN) to #if 1 at line 1797 in 
argus-3.0.0/argus/ArgusSource.c. After the change the argus works fine 
with DAG card except one issue. It seemed like the argus process 
crashes after several hours when I did some continuous monitoring. I 
started a trace on Thursday 3pm and the process died on Friday 12am. 
Then I tried it again yesterday but the same thing happened. I wonder 
what could result in the crash of argus?

Thanks.
Lei

More information about the argus mailing list