simple question

Peter Van Epp vanepp at sfu.ca
Wed May 6 00:42:39 EDT 2009 

On Tue, May 05, 2009 at 05:00:42PM +0200, Alexander Bochmann wrote:
> Hi,
> 
> ...on Thu, Apr 30, 2009 at 11:25:47PM -0400, Carter Bullard wrote:
> 
>  >  I would suggest that you do this instead:
>  >    rabins -M rmon -r 27.gz -M hard time 1h -m srcid smac -w - | \
>  >       ra -s stime srcid smac sbytes:20 dbytes:20 bytes:20 sload:20  
>  > dload:20 load:20 - ether src host 00:15:60:0C:B5:6A
>  > The main difference, is that we have added "smac" to the aggregation.
>  > We need the second ra(), so we can select the record where the mac
>  > address is the source, which is the single record where the metrics
>  > represent the input and output values for the interface.
> 
> I've been asking myself a similar question recently, coming 
> to the conclusion that I don't really understand how to make 
> argus work for me ;) ... CS Lee has been trying to help me 
> on the IRC channel a couple of days ago, but I'm still quite 
> lost...
> 
> I, too, want to generate a simple graph representing "input" 
> and "output" traffic on an interface. My probe is on a mirror 
> port that monitors the inside interface of the gateway router. 
> 
> So I want to see packets / bytes "leaving" my local network 
> in one direction on the y axis of my graph and those "coming 
> in" on the other side. 
> 

	The why is fairly easy: argus chooses as the source whichever side 
issued the syn to establish the connection. This of course means that argus's 
source and on the wire source as seen on the interface (which is what you want) 
are unrelated, so graphing what argus thinks of as the source won't match what 
a sniffer or counters on the interface being monitored reports. What Carter 
suggested above fixes that problem (as long as MAC addresses, collection of 
which are off by default, are anabled in the argus doing the capture) by 
selecting on the source MAC address in a record (which may result in a swap of 
what argus thinks of as source and destination to what the interface thinks of 
as source and destination). 
	In your case the idea is if the source MAC in the argus record matches
the MAC of your gateway then leave the record alone as it is correct already.
If the dest MAC is your gateway router then invert the source and dest fields
in the argus record so that argus source and dest match interface source and 
dest. That corrects argus's idea of source and dest to match that of the 
interface and your graph should now work. If I remember correctly the -m RMON
created two copies of each record one normal and one with the source and 
dest fields inverted. From that output the second r command filters on your 
router's MAC address as the source to select only the wire direction (where 
your gateway MAC is the source MAC) from the data creating data that will 
match the interface counters.
	I suspect your problem may be that if MAC collecion (the -m flag on
the command line or one of the options in the argusrc file) isn't on. Then 
MAC addresses aren't collected (and are likely 0ed) by the argus and this
won't work. So you need something like

argus -i nfe0 -dn -w /var/log/argus/argus

in order to capture the MAC addresses. This changed from default on to default
off (and bit me earlier :-)) somewhere in the argus 3.0 stream. An easy way
to tell is to use ra and see if it prints MACs:

ra -r argus -n -s +smac +dmac

the -s +smac +dmac will add the source and dest MAC fields to the standard ra 
output at the end. You should see two different MAC addresses in the output
at the end of the line. If you don't see anything or they are both 0, check 
your argus settings to verify that MACs are being captured.

Peter Van Epp

More information about the argus mailing list