Argus on Bivio 7500

[Jason Carr]

Sorry, maybe I was not clear...  what I meant to say is that if you  
run tethereal -i default it will capture everything on any devices  
that the node has been assigned to use (tcpdump doesn't work right on  
Bivio but tethereal does).

I attached the debug log for argus when I run argus:

/usr/local/sbin/argus -X -U 128 -i default -P 561 -e 1 -D 999
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: argus-out.txt
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090806/9eaf99a0/attachment.txt>
-------------- next part --------------



On Aug 5, 2009, at 7:58 PM, Peter Van Epp wrote:

> <snip>
>>
>> The other thing I noticed is that there is no way to start argus
>> listening on the interface called "default".  According to the Bivio
>> manual, it's a pseudo-interface name that allows capture on all
>> interfaces that might be bound to that inspection group that the  
>> Bivio's
>> customized pcap handles internally.  For example, we have two  
>> interfaces
>> at 10G each from a network that we are monitoring.  We'd want to  
>> monitor
>> both interfaces at the same time.  It's a lot easier to monitor  
>> "default"
>> instead of monitoring s0.e0 and s1.e0.  Right now, argus just quits  
>> with
>> no error message.
>>
>> Specifying multiple interfaces on the command line does not work  
>> either,
>> for example:
>>
>> [Bivio] root at CPU-3c0 ~$ /usr/local/sbin/argus -X -U 128 -i s1.e0 -i
>> s2.e0 -P 561 -e 1 - ip
>> argus[26239]: 05 Aug 09 15:17:52.400570 ArgusOpenInterface:
>> pcap_open_live zcopy_open: Can't MMAP to kernel (errno 12)
>>
> <snip>
>
> 	You need to figure out what interface the Bivio thinks is "default".
> You might try no -i which will use the default (usually the first it  
> finds)
> interface and see if that is default in this case. Otherwise if you  
> have
> something that runs on the default interface that you have source to  
> you can
> run gdb on the pcap open and see what device it is using and argus  
> should be
> happy with the same one. A look at the FreeBSD pcap man page  
> indicates the
> pcap_findalldevs() call will list all interfaces. I'm not a aware of  
> a command
> that displays this but there may be one, other wise there is always  
> C :-).
> If you eliminate the known interfaces whats left (if anything is  
> left) should
> be default. Ah! tcpdump -D should print the list of available  
> interfaces
> perhaps saving you some coding :-). My freeBSD box says (as root):
>
> tcpdump -D
> 1.nfe0
> 2.lo0
>
> 1 is the NIC 2 is the loopback interface. In your case I'd expect  
> the known
> interfaces, "default" and a loopback interface. It may be also worth  
> trying
> the lo0 interface as default. Good luck :-) You likely need to use a  
> Bivio
> aware copy of tcpdump if there is such a thing as well (may not be  
> libpcap
> should be standard from the user side of things).
> 	On standard NICs two interfaces as you are specifying used to work
> (I no longer have access to the machine where I used to run this way  
> thus the
> "used to" :-)). From the error message I think it still does, the  
> Bivio libpcap
> looks to not like trying to open the same mapping twice. As far as I  
> remember
> the linux pf-ring code used to let me do the two NIC version with 2 - 
> i commands
> and it does a similar mmap operation to avoid the kernel to userland  
> memory
> copy so it should be a Bivio limitation (probably fixable by knowing  
> how to
> specify default from the sounds of it).
>
> Peter Van Epp
>