Argus with bonded interface

Nate Hausrath hausrath.mailing.list at gmail.com
Thu Sep 23 10:00:04 EDT 2010 

Thanks for both the responses.  I guess config files and run commands would help. :)

First, I've tried this with an old version of Argus installed through Ubuntu (2.0.6), and then moved on to 3.0.2, and finally 3.0.3.16.

Here is the command I use to run it:

/usr/local/sbin/argus -w /var/argus/argus.log.test -F /etc/argus.conf -D 8 -i bond0 - ip

Here is my argus.conf:

ARGUS_DAEMON=yes

ARGUS_DEBUG_LEVEL=0

ARGUS_MONITOR_ID=1

ARGUS_ACCESS_PORT=0

ARGUS_INTERFACE=bond0

ARGUS_SET_PID=no

ARGUS_GO_PROMISCUOUS=yes

ARGUS_FLOW_STATUS_INTERVAL=60

ARGUS_GENERATE_START_RECORDS=no

ARGUS_GENERATE_RESPONSE_TIME_DATA=no

ARGUS_GENERATE_JITTER_DATA=yes

ARGUS_GENERATE_MAC_DATA=yes

ARGUS_FILTER_OPTIMIZER=no

ARGUS_CAPTURE_DATA_LEN=0

I removed all the comments.  Thanks!

-Nate

On Sep 23, 2010, at 8:23 AM, carter at qosient.com wrote:

> Hey Nate,
> How are you running argus?  Is there an argus.conf file?  And which argus?
> 
> Argus and snort get their packets in the same way, through libpcap.  Probably need to tell argus to open the correct logical interface.
> 
> Carter 
> 
> 
> Sent from my Verizon Wireless BlackBerry
> 
> -----Original Message-----
> From: Nate Hausrath <hausrath.mailing.list at gmail.com>
> Sender: argus-info-bounces+carter=qosient.com at lists.andrew.cmu.edu
> Date: Wed, 22 Sep 2010 10:29:24 
> To: <argus-info at lists.andrew.cmu.edu>
> Subject: [ARGUS] Argus with bonded interface
> 
> I'm having an issue where argus will not record data from a bonded interface.  I'm not 100% positive this is the exact problem, but I haven't had problems with it on other systems and the bonded interface is the only difference.  Do I need to do something special or configure the interface in a specific way?
> 
> The argus log file increases in size at a very slow rate (like 1 KB every 2 minutes or so).  When I use ra on the data I get the following:
> 
> # ra -nn -L0 -r /var/argus/argus.log.test 
>       StartTime           Flgs   Type           SrcAddr               Sport   Dir           DstAddr               Dport   SrcPkt   DstPkt    SrcBytes     DstBytes    State
> 09-21-10 15:33:47.231421           man                      0.0.0.1  v2.0                                     1 0          0        0         0            0           STA
> 09-21-10 15:33:47.269844           man                      0.0.0.1  v2.0                                     1 0          0        0         0            0    
> ... (Repeat) ...
> 
> Here is my bonded interface configuration:
> 
> auto bond0
> iface bond0 inet manual
> 	pre-up ifconfig eth2 promisc -arp up && ifconfig eth3 promisc -arp up && ifconfig bond0 up
>        bond-slaves none
>        bond-mode 1
>        bond-miimon 100
> 
> auto eth2
> iface eth2 inet manual
>        bond-master bond0
>        bond-primary eth2 eth3
> 
> auto eth3
> iface eth3 inet manual
>        bond-master bond0
>        bond-primary eth2 eth3
> 
> I also run Snort on the box, and it does not appear to have a problem capturing data from the interface.  I can dump full packet captures as well and everything seems normal.
> 
> Any ideas or suggestions?  Thanks in advance!
> 
> -Nate

More information about the argus mailing list