Argus with bonded interface

Nate Hausrath hausrath.mailing.list at gmail.com
Wed Sep 22 10:29:24 EDT 2010 

I'm having an issue where argus will not record data from a bonded interface.  I'm not 100% positive this is the exact problem, but I haven't had problems with it on other systems and the bonded interface is the only difference.  Do I need to do something special or configure the interface in a specific way?

The argus log file increases in size at a very slow rate (like 1 KB every 2 minutes or so).  When I use ra on the data I get the following:

# ra -nn -L0 -r /var/argus/argus.log.test 
       StartTime           Flgs   Type           SrcAddr               Sport   Dir           DstAddr               Dport   SrcPkt   DstPkt    SrcBytes     DstBytes    State
09-21-10 15:33:47.231421           man                      0.0.0.1  v2.0                                     1 0          0        0         0            0           STA
09-21-10 15:33:47.269844           man                      0.0.0.1  v2.0                                     1 0          0        0         0            0    
... (Repeat) ...

Here is my bonded interface configuration:

auto bond0
iface bond0 inet manual
	pre-up ifconfig eth2 promisc -arp up && ifconfig eth3 promisc -arp up && ifconfig bond0 up
        bond-slaves none
        bond-mode 1
        bond-miimon 100

auto eth2
iface eth2 inet manual
        bond-master bond0
        bond-primary eth2 eth3

auto eth3
iface eth3 inet manual
        bond-master bond0
        bond-primary eth2 eth3

I also run Snort on the box, and it does not appear to have a problem capturing data from the interface.  I can dump full packet captures as well and everything seems normal.

Any ideas or suggestions?  Thanks in advance!

-Nate

More information about the argus mailing list