Too many inputs

Carter Bullard carter at qosient.com
Mon Nov 29 16:33:31 EST 2010 

Rafael,
Looks like you're feeding packets into the flow engine in the wrong time order.  The engine saw a packet from
Mon Feb  2 07:25:23 EST 2009  and then the next packet was from a week earlier, Mon Jan 26 19:06:10 EST 2009.
This is confusing for argus (how to timeout flows, etc....) and indicates that there must be a serious error in the packet source, so we bail with an error.  Can you feed the packet files to mergecap() so that they come in some time order?

I would go with CS Lee's recommendation to just run argus independently on the files, and then merge those output files together with racluster().

   bash%  for i in file*; do echo $i; argus -r $i -w argus.$i.out; done
   bash%  racluster -r argus*.out -w argus.out

Would that work for you?

Carter

On Nov 29, 2010, at 10:01 AM, Rafael Barbosa wrote:

> Hi,
> 
> In this test I ran version 3.0.2. I think last time I updated the clients, I forgot to update argus... I will update my binaries before continuing.
> 
> Trying to solve my problem I used 'mergecap' (part of wireshark) to merge the files, and then read load then into argus. However I had problems with packet timestamps, such as:
> 
> argus[4311]: 29 Nov 10 15:49:01.766800 ArgusInterface timestamps wayyy out of order: now 1233014770 then 1233577523
> 
> Now I am trying to understand where out of order packets are coming from. Kinda frustrating...
> 
> --
> Rafael Barbosa
> http://www.vf.utwente.nl/~barbosarr/
> 
> 
> 
> On Mon, Nov 29, 2010 at 2:46 PM, <carter at qosient.com> wrote:
> Hey Rafael,
> The number of inputs is a constant defined in the ./argus/ArgusSource.h include file. You can increase that number to whatever to process files, but there are limits to the number of fd's that you may run into.
> 
> What version are you running, I couldn't find your exact error string in the 3.0.3 codebase. Just curious.
> 
> Carter 
> 
> 
> Carter 
> Sent from my Verizon Wireless BlackBerry
> 
> From: Rafael Barbosa <rrbarbosa at gmail.com>
> Sender: argus-info-bounces+carter=qosient.com at lists.andrew.cmu.edu
> Date: Fri, 26 Nov 2010 14:34:58 +0100
> To: Argus<argus-info at lists.andrew.cmu.edu>
> Subject: [ARGUS] Too many inputs
> 
> Hi all,
> 
> When trying to read several hundreds of small pcap files (100MB) to create a argus flow file I ran into a problem. When I tried:
> $> argus -r dump* -w file.argus
> 
> I got the following error:
> argus[34458]: 26 Nov 10 14:29:02.394286 ArgusOpenInputPacketFile: too many inputs max is 5
> 
> Is it possible to overcome this limitation without merging the files manually?
> 
> Thanks,
> Rafael Barbosa
> http://www.vf.utwente.nl/~barbosarr/
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101129/39756226/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101129/39756226/attachment.bin>

More information about the argus mailing list