Argus with bonded interface

Carter Bullard carter at qosient.com
Fri Sep 24 13:37:21 EDT 2010 

Hey Nate,
Given your argus.conf file, run argus with an additional "-d" option, so that it doesn't go in the background.
This way we can see what interface it is actually opening, if its successful etc.....

Carter

On Sep 23, 2010, at 10:00 AM, Nate Hausrath wrote:

> Thanks for both the responses.  I guess config files and run commands would help. :)
> 
> First, I've tried this with an old version of Argus installed through Ubuntu (2.0.6), and then moved on to 3.0.2, and finally 3.0.3.16.
> 
> Here is the command I use to run it:
> 
> /usr/local/sbin/argus -w /var/argus/argus.log.test -F /etc/argus.conf -D 8 -i bond0 - ip
> 
> Here is my argus.conf:
> 
> ARGUS_DAEMON=yes
> 
> ARGUS_DEBUG_LEVEL=0
> 
> ARGUS_MONITOR_ID=1
> 
> ARGUS_ACCESS_PORT=0
> 
> ARGUS_INTERFACE=bond0
> 
> ARGUS_SET_PID=no
> 
> ARGUS_GO_PROMISCUOUS=yes
> 
> ARGUS_FLOW_STATUS_INTERVAL=60
> 
> ARGUS_GENERATE_START_RECORDS=no
> 
> ARGUS_GENERATE_RESPONSE_TIME_DATA=no
> 
> ARGUS_GENERATE_JITTER_DATA=yes
> 
> ARGUS_GENERATE_MAC_DATA=yes
> 
> ARGUS_FILTER_OPTIMIZER=no
> 
> ARGUS_CAPTURE_DATA_LEN=0
> 
> I removed all the comments.  Thanks!
> 
> -Nate
> 
> On Sep 23, 2010, at 8:23 AM, carter at qosient.com wrote:
> 
>> Hey Nate,
>> How are you running argus?  Is there an argus.conf file?  And which argus?
>> 
>> Argus and snort get their packets in the same way, through libpcap.  Probably need to tell argus to open the correct logical interface.
>> 
>> Carter 
>> 
>> 
>> Sent from my Verizon Wireless BlackBerry
>> 
>> -----Original Message-----
>> From: Nate Hausrath <hausrath.mailing.list at gmail.com>
>> Sender: argus-info-bounces+carter=qosient.com at lists.andrew.cmu.edu
>> Date: Wed, 22 Sep 2010 10:29:24 
>> To: <argus-info at lists.andrew.cmu.edu>
>> Subject: [ARGUS] Argus with bonded interface
>> 
>> I'm having an issue where argus will not record data from a bonded interface.  I'm not 100% positive this is the exact problem, but I haven't had problems with it on other systems and the bonded interface is the only difference.  Do I need to do something special or configure the interface in a specific way?
>> 
>> The argus log file increases in size at a very slow rate (like 1 KB every 2 minutes or so).  When I use ra on the data I get the following:
>> 
>> # ra -nn -L0 -r /var/argus/argus.log.test 
>>      StartTime           Flgs   Type           SrcAddr               Sport   Dir           DstAddr               Dport   SrcPkt   DstPkt    SrcBytes     DstBytes    State
>> 09-21-10 15:33:47.231421           man                      0.0.0.1  v2.0                                     1 0          0        0         0            0           STA
>> 09-21-10 15:33:47.269844           man                      0.0.0.1  v2.0                                     1 0          0        0         0            0    
>> ... (Repeat) ...
>> 
>> Here is my bonded interface configuration:
>> 
>> auto bond0
>> iface bond0 inet manual
>> 	pre-up ifconfig eth2 promisc -arp up && ifconfig eth3 promisc -arp up && ifconfig bond0 up
>>       bond-slaves none
>>       bond-mode 1
>>       bond-miimon 100
>> 
>> auto eth2
>> iface eth2 inet manual
>>       bond-master bond0
>>       bond-primary eth2 eth3
>> 
>> auto eth3
>> iface eth3 inet manual
>>       bond-master bond0
>>       bond-primary eth2 eth3
>> 
>> I also run Snort on the box, and it does not appear to have a problem capturing data from the interface.  I can dump full packet captures as well and everything seems normal.
>> 
>> Any ideas or suggestions?  Thanks in advance!
>> 
>> -Nate
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100924/598fbbc9/attachment.bin>

More information about the argus mailing list