question on argus listenning on 2 interfaces

Carter Bullard carter at qosient.com
Mon Jan 21 17:13:45 EST 2008 

Yes, that is why I suggested that you grab the code again.
Carter

On Jan 21, 2008, at 4:02 PM, Lei Wei wrote:

> Hi Carter,
>
> Did you get a chance to take a look at the problem I described to  
> you about new argus with dag? Since the new one is not working and I  
> need to use it for some experiments, where can I get the version  
> prior to the newest one that I could fix it to work for the time  
> being.
>
> Thanks.
> Lei
>
>
>
> Quoting Lei Wei <lwei at cs.unc.edu>:
>> Hey Carter,
>>
>> I just downloaded and installed the revised version of argus-3 but  
>> it didn't work. After I typed the command "argus -D 1 -i dag0 -w  
>> data.out", it gave me the error message:
>> ArgusError: argus[21318]: 19 Jan 08 13:19:01.146868  
>> ArgusInitSource: pcap_setnonblock() failed:
>> and some junk after it. And later when I typed the command again,  
>> it just exited and nothing happened like before.
>>
>> I actually have been using the fix suggested by stephen, i.e.  
>> changing
>> #if defined(CYGWIN) to #if 1 at line 1797 in argus-3.0.0/argus/ 
>> ArgusSource.c. After the change the argus works fine with DAG card  
>> except one issue. It seemed like the argus process crashes after  
>> several hours when I did some continuous monitoring. I started a  
>> trace on Thursday 3pm and the process died on Friday 12am. Then I  
>> tried it again yesterday but the same thing happened. I wonder what  
>> could result in the crash of argus?
>>
>> Thanks.
>> Lei
>
>
>> Quoting Carter Bullard <carter at qosient.com>:
>>
>>> Hey Lei,
>>>   Did you get a chance to test the new argus-3.0.0.tar.gz on the   
>>> server
>>> to see if it solved your DAG problem?
>>>
>>> Carter
>>>
>>> On Jan 9, 2008, at 8:42 PM, Lei Wei wrote:
>>>
>>>> Hi Peter,
>>>>
>>>> Thanks for the help. I did try to use DAG card but I cound't get   
>>>> Argus working with DAG. I installed the dag-enabled libpcap0.9.8  
>>>> but  Argus just can't get any data from it. Do you have any  
>>>> experience  with it? If so, could you give me some instructions  
>>>> on how to  configure argus to recoginize dag card?
>>>> many thanks~
>>>>
>>>> Lei
>>>>
>>>> Quoting Peter Van Epp <vanepp at sfu.ca>:
>>>>
>>>>> On Wed, Jan 09, 2008 at 06:19:28PM -0500, Lei Wei wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I'm now monitoring the border traffic which has an inbound and an
>>>>>> outbound link. I'm not sure how argus would treat those two   
>>>>>> interfaces
>>>>>> if specified. I hope that it'll merge the two links and  
>>>>>> reconstruct
>>>>>> transactions but I'm not sure of what'd happen. And I also  
>>>>>> wonder if
>>>>>> the unidirection and bidirection options play a role in here.
>>>>>> So any comments?
>>>>>>
>>>>>> THanks.
>>>>>>
>>>>>> Lei
>>>>>
>>>>> 	Two interfaces from a tap works fine (if not optimally) as in
>>>>>
>>>>> argus -Jd -P 560 -i eth0 -i eth1
>>>>>
>>>>> this will indeed merge the streams most of the time and I've  
>>>>> run  like this
>>>>> for many years. There are issues (which Carter tweaked a while  
>>>>> back  in the
>>>>> 3.0 rcs) when what I think is likely interrupt queuing delivers   
>>>>> packets out
>>>>> of order though. So the optimal thing is to run two argi one  
>>>>> for  each interface
>>>>> and then let racluster merge the two individual streams later  
>>>>> (or  run a DAG
>>>>> cards which will time stamp all packets on receive by the  
>>>>> hardware  which
>>>>> cures the problem).
>>>>>
>>>>> Peter Van Epp / Operations and Technical Support
>>>>> Simon Fraser University, Burnaby, B.C. Canada
>>>>>
>>>>
>>>>
>>>>
>>>
>
>
>
>
>

More information about the argus mailing list