Argus with bonded interface
carter at qosient.com
carter at qosient.com
Thu Sep 23 08:23:31 EDT 2010
Hey Nate,
How are you running argus? Is there an argus.conf file? And which argus?
Argus and snort get their packets in the same way, through libpcap. Probably need to tell argus to open the correct logical interface.
Carter
Sent from my Verizon Wireless BlackBerry
-----Original Message-----
From: Nate Hausrath <hausrath.mailing.list at gmail.com>
Sender: argus-info-bounces+carter=qosient.com at lists.andrew.cmu.edu
Date: Wed, 22 Sep 2010 10:29:24
To: <argus-info at lists.andrew.cmu.edu>
Subject: [ARGUS] Argus with bonded interface
I'm having an issue where argus will not record data from a bonded interface. I'm not 100% positive this is the exact problem, but I haven't had problems with it on other systems and the bonded interface is the only difference. Do I need to do something special or configure the interface in a specific way?
The argus log file increases in size at a very slow rate (like 1 KB every 2 minutes or so). When I use ra on the data I get the following:
# ra -nn -L0 -r /var/argus/argus.log.test
StartTime Flgs Type SrcAddr Sport Dir DstAddr Dport SrcPkt DstPkt SrcBytes DstBytes State
09-21-10 15:33:47.231421 man 0.0.0.1 v2.0 1 0 0 0 0 0 STA
09-21-10 15:33:47.269844 man 0.0.0.1 v2.0 1 0 0 0 0 0
... (Repeat) ...
Here is my bonded interface configuration:
auto bond0
iface bond0 inet manual
pre-up ifconfig eth2 promisc -arp up && ifconfig eth3 promisc -arp up && ifconfig bond0 up
bond-slaves none
bond-mode 1
bond-miimon 100
auto eth2
iface eth2 inet manual
bond-master bond0
bond-primary eth2 eth3
auto eth3
iface eth3 inet manual
bond-master bond0
bond-primary eth2 eth3
I also run Snort on the box, and it does not appear to have a problem capturing data from the interface. I can dump full packet captures as well and everything seems normal.
Any ideas or suggestions? Thanks in advance!
-Nate
More information about the argus
mailing list