Argus with bonded interface

Dave Edelman dedelman at iname.com
Wed Sep 22 20:57:10 EDT 2010 

Nate,

The file is growing slowly because argus() is not collecting data and
storing it in the log file. If you would post the actual commands that you
use to start the argus() program and a copy (redacted of any sensitive
information) to the configuration file (probably /etc/argus.conf), there is
a pretty good chance that someone on the list could give you a solution.


--Dave



-----Original Message-----
From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
[mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
Behalf Of Nate Hausrath
Sent: Wednesday, September 22, 2010 10:29 AM
To: argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] Argus with bonded interface

I'm having an issue where argus will not record data from a bonded
interface.  I'm not 100% positive this is the exact problem, but I haven't
had problems with it on other systems and the bonded interface is the only
difference.  Do I need to do something special or configure the interface in
a specific way?

The argus log file increases in size at a very slow rate (like 1 KB every 2
minutes or so).  When I use ra on the data I get the following:

# ra -nn -L0 -r /var/argus/argus.log.test 
       StartTime           Flgs   Type           SrcAddr               Sport
Dir           DstAddr               Dport   SrcPkt   DstPkt    SrcBytes
DstBytes    State
09-21-10 15:33:47.231421           man                      0.0.0.1  v2.0
1 0          0        0         0            0           STA
09-21-10 15:33:47.269844           man                      0.0.0.1  v2.0
1 0          0        0         0            0    
... (Repeat) ...

Here is my bonded interface configuration:

auto bond0
iface bond0 inet manual
    pre-up ifconfig eth2 promisc -arp up && ifconfig eth3 promisc -arp up &&
ifconfig bond0 up
        bond-slaves none
        bond-mode 1
        bond-miimon 100

auto eth2
iface eth2 inet manual
        bond-master bond0
        bond-primary eth2 eth3

auto eth3
iface eth3 inet manual
        bond-master bond0
        bond-primary eth2 eth3

I also run Snort on the box, and it does not appear to have a problem
capturing data from the interface.  I can dump full packet captures as well
and everything seems normal.

Any ideas or suggestions?  Thanks in advance!

-Nate=

More information about the argus mailing list