Argus on Bivio 7500

Peter Van Epp vanepp at sfu.ca
Wed Aug 5 19:58:33 EDT 2009


<snip>
>
> The other thing I noticed is that there is no way to start argus  
> listening on the interface called "default".  According to the Bivio  
> manual, it's a pseudo-interface name that allows capture on all  
> interfaces that might be bound to that inspection group that the Bivio's 
> customized pcap handles internally.  For example, we have two interfaces 
> at 10G each from a network that we are monitoring.  We'd want to monitor 
> both interfaces at the same time.  It's a lot easier to monitor "default" 
> instead of monitoring s0.e0 and s1.e0.  Right now, argus just quits with 
> no error message.
>
> Specifying multiple interfaces on the command line does not work either, 
> for example:
>
> [Bivio] root at CPU-3c0 ~$ /usr/local/sbin/argus -X -U 128 -i s1.e0 -i  
> s2.e0 -P 561 -e 1 - ip
> argus[26239]: 05 Aug 09 15:17:52.400570 ArgusOpenInterface:  
> pcap_open_live zcopy_open: Can't MMAP to kernel (errno 12)
>
<snip>

	You need to figure out what interface the Bivio thinks is "default".
You might try no -i which will use the default (usually the first it finds)
interface and see if that is default in this case. Otherwise if you have
something that runs on the default interface that you have source to you can
run gdb on the pcap open and see what device it is using and argus should be
happy with the same one. A look at the FreeBSD pcap man page indicates the
pcap_findalldevs() call will list all interfaces. I'm not a aware of a command
that displays this but there may be one, other wise there is always C :-).
If you eliminate the known interfaces whats left (if anything is left) should
be default. Ah! tcpdump -D should print the list of available interfaces
perhaps saving you some coding :-). My freeBSD box says (as root):

tcpdump -D 
1.nfe0
2.lo0

1 is the NIC 2 is the loopback interface. In your case I'd expect the known
interfaces, "default" and a loopback interface. It may be also worth trying
the lo0 interface as default. Good luck :-) You likely need to use a Bivio
aware copy of tcpdump if there is such a thing as well (may not be libpcap
should be standard from the user side of things). 
	On standard NICs two interfaces as you are specifying used to work
(I no longer have access to the machine where I used to run this way thus the
"used to" :-)). From the error message I think it still does, the Bivio libpcap
looks to not like trying to open the same mapping twice. As far as I remember
the linux pf-ring code used to let me do the two NIC version with 2 -i commands
and it does a similar mmap operation to avoid the kernel to userland memory 
copy so it should be a Bivio limitation (probably fixable by knowing how to 
specify default from the sounds of it).

Peter Van Epp



More information about the argus mailing list