Argus with bonded interface
Nate Hausrath
hausrath.mailing.list at gmail.com
Tue Sep 28 09:42:24 EDT 2010
Running tcpdump is able to capture packets. Good suggestion though. :)
To respond to Carter:
I think I figured out what the problem is. It appears to be the "- ip" at the end. For example I ran the following tests:
/usr/local/sbin/argus -D10 -X -i bond0 -w /var/log/argus/argus.log.test.1
(Tons of debug messages, but this is wear I noticed data was actually being analyzed and written to the output file.)
/usr/local/sbin/argus -X -i bond0 -w /var/log/argus/argus.log.test.2 - ip
/usr/local/sbin/argus -X -i bond0 -w /var/log/argus/argus.log.test.3
Here are the resulting file sizes:
# ls -l /var/log/argus/argus.log.test*
-rw-r--r-- 1 root root 31232 2010-09-27 16:20 /var/log/argus/argus.log.test
-rw-r--r-- 1 root root 640 2010-09-28 09:35 /var/log/argus/argus.log.test.2
-rw-r--r-- 1 root root 2713188 2010-09-28 09:36 /var/log/argus/argus.log.test.3
When I use ra to check for traffic on the 1st and 3rd tests, it works!
Any ideas why the "- ip" is causing this? I can post the D10 output if necessary.
Thanks,
Nate
On Sep 27, 2010, at 7:30 PM, Peter Van Epp wrote:
> On Mon, Sep 27, 2010 at 05:22:49PM -0400, Carter Bullard wrote:
>> Well, you definitely aren't getting any packets here. Increase the debug level to 10, and
>> we'll see the result of the select() calls on the bond0 interface.
>>
>> Also don't use the -F /etc/argus.conf. That is causing you to read the conf twice.
>> Instead, run it this way:
>>
>> /usr/local/sbin/argus -X -D10 -i bond0
>>
>> The '-X' will nullify anything that was in the /etc/argus.conf file.
>> Very curious.
>>
>> Carter
>>
>
> Trying
>
> tcpdump -i bond0
>
> on the machine (if you haven't already) would also be a good bet to see if the
> problem is before argus (which seems somewhat likely). If tcpdump shows no
> output there is a problem somwhere in pcap not argus.
>
> Peter Van Epp
More information about the argus
mailing list