Argus on Bivio 7500

Eric Gustafson subwire at gmail.com
Tue Jun 23 01:07:04 EDT 2009


Hey guys,
Thanks for the info on this.  Bivio has been happy to do a few special
requests for us in the past, so maybe if we bug them, we'll see an updated
libpcap! :)
Carter, it sounds like the easiest way to figure out if we're on a bivio or
not would be some configure-time voodoo involving either the kernel version
string or checking for key bivio folder structures.
Here's what we have for pre-defined macros:
#define __DBL_MIN_EXP__ (-1021)
#define __FLT_MIN__ 1.17549435e-38F
#define __CHAR_BIT__ 8
#define __WCHAR_MAX__ 2147483647
#define __DBL_DENORM_MIN__ 4.9406564584124654e-324
#define __FLT_EVAL_METHOD__ 0
#define __DBL_MIN_10_EXP__ (-307)
#define __FINITE_MATH_ONLY__ 0
#define __GNUC_PATCHLEVEL__ 0
#define __SHRT_MAX__ 32767
#define __LDBL_MAX__ 1.79769313486231580793728971405301e+308L
#define __UINTMAX_TYPE__ long long unsigned int
#define __linux 1
#define __CHAR_UNSIGNED__ 1
#define __LDBL_MAX_EXP__ 1024
#define __linux__ 1
#define __SCHAR_MAX__ 127
#define __USER_LABEL_PREFIX__
#define __STDC_HOSTED__ 1
#define __LDBL_HAS_INFINITY__ 1
#define __DBL_DIG__ 15
#define __FLT_EPSILON__ 1.19209290e-7F
#define _CALL_SYSV 1
#define __LDBL_MIN__ 2.00416836000897277799610805135016e-292L
#define __unix__ 1
#define __DECIMAL_DIG__ 33
#define __gnu_linux__ 1
#define __LDBL_HAS_QUIET_NAN__ 1
#define __GNUC__ 4
#define __DBL_MAX__ 1.7976931348623157e+308
#define __DBL_HAS_INFINITY__ 1
#define __DBL_MAX_EXP__ 1024
#define __LONG_LONG_MAX__ 9223372036854775807LL
#define __PPC__ 1
#define __GXX_ABI_VERSION 1002
#define __FLT_MIN_EXP__ (-125)
#define __DBL_MIN__ 2.2250738585072014e-308
#define __DBL_HAS_QUIET_NAN__ 1
#define __REGISTER_PREFIX__
#define __NO_INLINE__ 1
#define _ARCH_PPC 1
#define __FLT_MANT_DIG__ 24
#define __VERSION__ "4.1.0 20060304 (Red Hat 4.1.0-3)"
#define __BIG_ENDIAN__ 1
#define __powerpc__ 1
#define unix 1
#define __SIZE_TYPE__ unsigned int
#define __ELF__ 1
#define __FLT_RADIX__ 2
#define __LDBL_EPSILON__ 4.94065645841246544176568792868221e-324L
#define __GNUC_RH_RELEASE__ 3
#define __LDBL_DIG__ 31
#define __FLT_HAS_QUIET_NAN__ 1
#define __FLT_MAX_10_EXP__ 38
#define __LONG_MAX__ 2147483647L
#define __FLT_HAS_INFINITY__ 1
#define __unix 1
#define _BIG_ENDIAN 1
#define linux 1
#define __PPC 1
#define __LDBL_MANT_DIG__ 106
#define __WCHAR_TYPE__ long int
#define __FLT_DIG__ 6
#define __powerpc 1
#define __INT_MAX__ 2147483647
#define __LONG_DOUBLE_128__ 1
#define __FLT_MAX_EXP__ 128
#define __DBL_MANT_DIG__ 53
#define __WINT_TYPE__ unsigned int
#define __LDBL_MIN_EXP__ (-968)
#define __LDBL_MAX_10_EXP__ 308
#define __DBL_EPSILON__ 2.2204460492503131e-16
#define PPC 1
#define powerpc 1
#define __INTMAX_MAX__ 9223372036854775807LL
#define __FLT_DENORM_MIN__ 1.40129846e-45F
#define __FLT_MAX__ 3.40282347e+38F
#define __FLT_MIN_10_EXP__ (-37)
#define __INTMAX_TYPE__ long long int
#define __GNUC_MINOR__ 1
#define __DBL_MAX_10_EXP__ 308
#define __LDBL_DENORM_MIN__ 4.94065645841246544176568792868221e-324L
#define __STDC__ 1
#define __PTRDIFF_TYPE__ int
#define __LDBL_MIN_10_EXP__ (-291)

I'll skim through the developer manual tomorrow and see if I can find the
"right way".

To answer you question Jason, we have been running Argus, as well as Snort
and a handful of open-source IDS and network analysis tools on a fleet of
Dell servers with fiber cards as sensors for years, but our network backbone
and network demand have far outpaced what those can handle.  Bivio boxes
with 10G interfaces were the next logical step, and argus is the last thing
running on our old Dells.   We're pretty excited to soon finally get
everything running on our Bivios, as it's been a lengthy deployment process,
and have seen huge performance gains with the apps running so far.
The two apps we use the most, however, are Snort, and SHADOW, which, in case
you haven't heard of it, is a (rather dated, but still really useful) set of
wrappers around tcpdump for capturing a lot of raw data in an organized
fashion.

Let me know if I can help further!

Thanks again,
Eric

On Mon, Jun 22, 2009 at 7:21 PM, <carter at qosient.com> wrote:

> Hey Eric,
> Jason has done the most with Bivio on the list.  We were slowing working on
> workarounds, thinking Bivio was releasing the newer libpcap any day, but
> that has been a while.
>
> On line 2015 of the file ./argus/ArgusSource.c you should be able to
> comment out the call to pcap_get_selectable_fd(),all the code in the "#if
> !defined(CYGWIN..." and it should get past one hurdle, but the
> pcap_next_ex() replacement needs some work.  I'll see what I can do
> tonight/tomorrow.
>
> Is there a BIVIO compiler directive that I can use to ifdef the code?
>
> Carter
>
> Sent from my Verizon Wireless BlackBerry
>
> -----Original Message-----
> From: Jason Carr <jcarr at andrew.cmu.edu>
>
> Date: Mon, 22 Jun 2009 21:39:57
> To: Eric Gustafson<subwire at gmail.com>
> Cc: <argus-info at lists.andrew.cmu.edu>
> Subject: Re: [ARGUS] Argus on Bivio 7500
>
>
> Hi Eric,
>
> We also had the same problem compiling the 3.x series on our Bivio
> units.  Bivio ships (even with the newest OS 5.0.5) with an older
> libpcap.  We were told that the new libpcap that implements the
> pcap_get_selectable_fd method is in beta and should be released with
> the next OS release.
>
> Right now we're running argus 2.x and running rastream 3.x on a non-
> Bivio machine.  The 2.x series compiles just fine (but no IPv6).
>
> This was before Carter implemented any sort of Bivio changes, so I
> have not tested those.
>
> Let me know if you have any questions.  I'm also interested in what
> else you might be using your Bivio for.
>
> - Jason
>
>
> On Jun 22, 2009, at 4:49 PM, Eric Gustafson wrote:
>
> > Hi Carter et al,
> > I'm trying to compile the latest test argus (3.0.2 beta8) on one of
> > our Bivio 7500s, and am running into linking trouble.
> >
> > gcc -O3 -I.  -I./../include  -DPACKAGE_NAME=\"\" -DPACKAGE_TARNAME=
> > \"\" -DPACKAGE_VERSION=\"\" -DPACKAGE_STRING=\"\" -
> > DPACKAGE_BUGREPORT=\"\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -
> > DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -
> > DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -
> > DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_STRING_H=1 -
> > DHAVE_FCNTL_H=1 -DHAVE_SYS_FILE_H=1 -DHAVE_SYSLOG_H=1 -
> > DHAVE_SYS_VFS_H=1 -DHAVE_VFPRINTF=1 -DHAVE_STRCASECMP=1 -
> > DHAVE_STRDUP=1 -DHAVE_STRFTIME=1 -DHAVE_SETLINEBUF=1 -DHAVE_ALARM=1 -
> > DHAVE_STRERROR=1 -DHAVE_STRTOF=1 -DHAVE_SYS_BITYPES_H=1 -
> > DHAVE_INTTYPES_H=1 -DHAVE_VSNPRINTF=1 -DHAVE_SNPRINTF=1 -
> > DHAVE_GETADDRINFO=1 -DHAVE_ETHER_HOSTTON=1 -DHAVE_NETINET_ETHER_H=1 -
> > DNETINET_ETHER_H_DECLARES_ETHER_HOSTTON= -DHAVE_DECL_ETHER_HOSTTON=1
> > -D_FILE_OFFSET_BITS=64 -DHAVE_TCP_WRAPPER=1 -DLBL_ALIGN=1 -
> > DSTDC_HEADERS=1 -DARGUS_SYSLOG=1 -o ../bin/argus argus.o
> > ArgusModeler.o ArgusSource.o ArgusUtil.o ArgusOutput.o ArgusUdp.o
> > ArgusTcp.o ArgusIcmp.o ArgusIgmp.o ArgusEsp.o ArgusArp.o ArgusFrag.o
> > ArgusAuth.o ArgusApp.o  ../lib/libpcap.a -lwrap -lnsl  ../lib/
> > argus_common.a -lm
> > ArgusSource.o: In function `ArgusGetPackets':ArgusSource.c:(.text
> > +0x2cf8): undefined reference to `pcap_get_selectable_fd'
> > :ArgusSource.c:(.text+0x2d90): undefined reference to `pcap_next_ex'
> > :ArgusSource.c:(.text+0x2dcc): undefined reference to `pcap_next_ex'
> > :ArgusSource.c:(.text+0x2e08): undefined reference to `pcap_next_ex'
> > :ArgusSource.c:(.text+0x2e44): undefined reference to `pcap_next_ex'
> > :ArgusSource.c:(.text+0x2eac): undefined reference to `pcap_next_ex'
> > ArgusSource.o:ArgusSource.c:(.text+0x2ec8): more undefined
> > references to `pcap_next_ex' follow
> > collect2: ld returned 1 exit status
> > make[1]: *** [../bin/argus] Error 1
> > make[1]: Leaving directory `/bivio/shared/root/argus-3.0.1.beta.3/
> > argus'
> > ### Done with /root/argus-3.0.1.beta.3/argus
> >
> > I configured with --with-libpcap=/usr/lib/zcp/, which is where Bivio
> > stashes its special version of libpcap.
> > I noticed your mention of "changes to support Bivio hardware" for
> > this release, but I didn't see any instructions regarding extra
> > steps to get it to work.
> > Any ideas?
> >
> > Thanks so much,
> > Eric
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090622/3ef54779/attachment.html>


More information about the argus mailing list