new threaded argus packet input and data output engines

Carter Bullard carter at
Fri May 14 11:27:50 EDT 2010

Gentle people,
As promised, new features abound in argus-

I've uploaded a new argus that has a new threaded model for packet
input processing and new transport strategies for argus data on 
the output side.

There will be a .threads tag file in the root directory, which turns on the
threaded support for the new features.  If you find that there are issues,
remove this tag file, and re-configure, make clean and make.

The significance of the new ARGUS_INTERFACE strategies are that you
get multiple threads for multiple interfaces, allowing for much better
performance.   Also, you can now have a single argus that monitors
multiple interfaces "independently", working as if you had independent
argi monitoring either interface.   This is important for things like laptops
that have wired and wireless interfaces, and you want to monitor both
at the same time, with separate monitor ids.  Now a single argus, can
support multiple observation domains, concurrently.

If you monitor multiple interfaces at a time on multi-core platforms, do
test this version of argus.  Please send email if you have any
problems at all  !!!!

Here is a snip from the new argus.conf file found in ./support/Config.

# Argus can track packets from any or all interfaces, concurrently.
# The interfaces can be tracked as:
#   1.  independant - this is where argus tracks flows from each
#          interface independant from the packets seen on any
#          other interface.  This is useful for hosts/routers that
#          have full-duplex interfaces, and you want to distinguish
#          flows based on their interface. There is an option to specify
#          a distinct srcid to each independant modeler.
#   2.  duplex - where argus tracks packets from 2 interfaces
#          as if they were two half duplex streams of the same link.
#          Because there is a single modeler tracking the 2
#          interfaces, there is a single srcid that can be passed as
#          an option.
#   3.  bonded - where argus tracks packets from multiple interfaces
#          as if they were from the same stream.  Because there is a
#          single modeler tracking the 2 interfaces, there is a single
#          srcid that can be passed as an option.
#  Interfaces can be specified as groups using '[',']' notation, to build
#  flexible definitions of packet sources.  However, each interface
#  should be referenced only once (this is due to performance and OS
#  limitations, so if your OS has no problem with this, go ahead).
#  The lo (loopback) interface will be included only if it is specifically
#  indicated in the option.
#  The syntax for specifying this either on the command line or in this file:
#     -i ind:all
#     -i dup:en0,en1/srcid
#     -i bond:en0,en1/srcid
#     -i dup:[bond:en0,en1],en2/srcid
#     -i en0/srcid -i en1/srcid  (equivalent '-i ind:en0/srcid,en1/srcid')
#     -i en0 en1                 (equivalent '-i bond:en0,en1')

For output, argus can now "push" records via AF_INET UDP based sockets,
so that you can multicast records (one use of the new feature) to multiple
listeners.  This "push" method is in addition to the "pull" methods already
available.  Here is the additional documentation in the sample ./support/Config/argus.conf file:

# Argus can write its output to one or a number of remote hosts.
# The default limit is 5 concurrent output streams, each with their
# own independant filters.
# The format is:
#      ARGUS_OUTPUT_STREAM="URI [filter]"
#      ARGUS_OUTPUT_STREAN="argus-udp://host:port 'tcp and not udp'"
# Most sites will have argus listen() for remote sites to request
# argus data, but for some sites and applications sending records without
# registration is desired.  This option will cause argus to transmit records
# that match the optional filter, to the configured targets using UDP as the
# transport mechanism.
# Commandline equivalent   -w argus-udp://host:port


argus clients can currently read from these udp streams using:

   ra -S argus-udp://host:port

Again, if you have any problems with these features, send email!!!!


Carter Bullard
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <>

More information about the argus mailing list