question on argus listenning on 2 interfaces

Carter Bullard carter at qosient.com
Sat Jan 19 22:36:40 EST 2008 

Grab it again.  I just uploaded an argus-3.0.0.tar.gz that will get past
that step.
Carter

On Jan 19, 2008, at 1:36 PM, Lei Wei wrote:

> Quoting Carter Bullard <carter at qosient.com>:
>
>> Hey Lei,
>>   Did you get a chance to test the new argus-3.0.0.tar.gz on the   
>> server
>> to see if it solved your DAG problem?
>>
>> Carter
>>
>> On Jan 9, 2008, at 8:42 PM, Lei Wei wrote:
>>
>>> Hi Peter,
>>>
>>> Thanks for the help. I did try to use DAG card but I cound't get   
>>> Argus working with DAG. I installed the dag-enabled libpcap0.9.8  
>>> but  Argus just can't get any data from it. Do you have any  
>>> experience  with it? If so, could you give me some instructions on  
>>> how to  configure argus to recoginize dag card?
>>> many thanks~
>>>
>>> Lei
>>>
>>> Quoting Peter Van Epp <vanepp at sfu.ca>:
>>>
>>>> On Wed, Jan 09, 2008 at 06:19:28PM -0500, Lei Wei wrote:
>>>>> Hello,
>>>>>
>>>>> I'm now monitoring the border traffic which has an inbound and an
>>>>> outbound link. I'm not sure how argus would treat those two   
>>>>> interfaces
>>>>> if specified. I hope that it'll merge the two links and  
>>>>> reconstruct
>>>>> transactions but I'm not sure of what'd happen. And I also  
>>>>> wonder if
>>>>> the unidirection and bidirection options play a role in here.
>>>>> So any comments?
>>>>>
>>>>> THanks.
>>>>>
>>>>> Lei
>>>>
>>>> 	Two interfaces from a tap works fine (if not optimally) as in
>>>>
>>>> argus -Jd -P 560 -i eth0 -i eth1
>>>>
>>>> this will indeed merge the streams most of the time and I've run   
>>>> like this
>>>> for many years. There are issues (which Carter tweaked a while  
>>>> back  in the
>>>> 3.0 rcs) when what I think is likely interrupt queuing delivers   
>>>> packets out
>>>> of order though. So the optimal thing is to run two argi one for   
>>>> each interface
>>>> and then let racluster merge the two individual streams later  
>>>> (or  run a DAG
>>>> cards which will time stamp all packets on receive by the  
>>>> hardware  which
>>>> cures the problem).
>>>>
>>>> Peter Van Epp / Operations and Technical Support
>>>> Simon Fraser University, Burnaby, B.C. Canada
>>>>
>>>
>>>
>>>
>>
>
>
> Hey Carter,
>
> I just downloaded and installed the revised version of argus-3 but  
> it didn't work. After I typed the command "argus -D 1 -i dag0 -w  
> data.out", it gave me the error message:
> ArgusError: argus[21318]: 19 Jan 08 13:19:01.146868 ArgusInitSource:  
> pcap_setnonblock() failed:
> and some junk after it. And later when I typed the command again, it  
> just exited and nothing happened like before.
>
> I actually have been using the fix suggested by stephen, i.e. changing
> #if defined(CYGWIN) to #if 1 at line 1797 in argus-3.0.0/argus/ 
> ArgusSource.c. After the change the argus works fine with DAG card  
> except one issue. It seemed like the argus process crashes after  
> several hours when I did some continuous monitoring. I started a  
> trace on Thursday 3pm and the process died on Friday 12am. Then I  
> tried it again yesterday but the same thing happened. I wonder what  
> could result in the crash of argus?
>
> Thanks.
> Lei
>
>
>
>

More information about the argus mailing list