question on argus listenning on 2 interfaces

Mon Jan 21 16:02:16 EST 2008

Hi Carter,

Did you get a chance to take a look at the problem I described to you 
about new argus with dag? Since the new one is not working and I need 
to use it for some experiments, where can I get the version prior to 
the newest one that I could fix it to work for the time being.

Thanks.
Lei

Quoting Lei Wei <lwei at cs.unc.edu>:
> Hey Carter,
>
> I just downloaded and installed the revised version of argus-3 but it 
> didn't work. After I typed the command "argus -D 1 -i dag0 -w 
> data.out", it gave me the error message:
> ArgusError: argus[21318]: 19 Jan 08 13:19:01.146868 ArgusInitSource: 
> pcap_setnonblock() failed:
> and some junk after it. And later when I typed the command again, it 
> just exited and nothing happened like before.
>
> I actually have been using the fix suggested by stephen, i.e. changing
> #if defined(CYGWIN) to #if 1 at line 1797 in 
> argus-3.0.0/argus/ArgusSource.c. After the change the argus works 
> fine with DAG card except one issue. It seemed like the argus process 
> crashes after several hours when I did some continuous monitoring. I 
> started a trace on Thursday 3pm and the process died on Friday 12am. 
> Then I tried it again yesterday but the same thing happened. I wonder 
> what could result in the crash of argus?
>
> Thanks.
> Lei

> Quoting Carter Bullard <carter at qosient.com>:
>
>> Hey Lei,
>>    Did you get a chance to test the new argus-3.0.0.tar.gz on the  server
>> to see if it solved your DAG problem?
>>
>> Carter
>>
>> On Jan 9, 2008, at 8:42 PM, Lei Wei wrote:
>>
>>> Hi Peter,
>>>
>>> Thanks for the help. I did try to use DAG card but I cound't get  
>>> Argus working with DAG. I installed the dag-enabled libpcap0.9.8 
>>> but  Argus just can't get any data from it. Do you have any 
>>> experience  with it? If so, could you give me some instructions on 
>>> how to  configure argus to recoginize dag card?
>>> many thanks~
>>>
>>> Lei
>>>
>>> Quoting Peter Van Epp <vanepp at sfu.ca>:
>>>
>>>> On Wed, Jan 09, 2008 at 06:19:28PM -0500, Lei Wei wrote:
>>>>> Hello,
>>>>>
>>>>> I'm now monitoring the border traffic which has an inbound and an
>>>>> outbound link. I'm not sure how argus would treat those two  interfaces
>>>>> if specified. I hope that it'll merge the two links and reconstruct
>>>>> transactions but I'm not sure of what'd happen. And I also wonder if
>>>>> the unidirection and bidirection options play a role in here.
>>>>> So any comments?
>>>>>
>>>>> THanks.
>>>>>
>>>>> Lei
>>>>
>>>> 	Two interfaces from a tap works fine (if not optimally) as in
>>>>
>>>> argus -Jd -P 560 -i eth0 -i eth1
>>>>
>>>> this will indeed merge the streams most of the time and I've run  
>>>> like this
>>>> for many years. There are issues (which Carter tweaked a while 
>>>> back  in the
>>>> 3.0 rcs) when what I think is likely interrupt queuing delivers  
>>>> packets out
>>>> of order though. So the optimal thing is to run two argi one for  
>>>> each interface
>>>> and then let racluster merge the two individual streams later (or  
>>>> run a DAG
>>>> cards which will time stamp all packets on receive by the hardware  which
>>>> cures the problem).
>>>>
>>>> Peter Van Epp / Operations and Technical Support
>>>> Simon Fraser University, Burnaby, B.C. Canada
>>>>
>>>
>>>
>>>
>>