Argus with bonded interface

Carter Bullard carter at qosient.com
Tue Sep 28 09:58:57 EDT 2010 

Hmmmmm,
The filter you pass to argus, is compiled and processed just like the filter
given to tcpdump(), so it should work just as well as tcpdump() does with the filter.
pcap_compile() and pcap_setfilter(), on the pcapfd that is returned from the
pcap_open_*().

What version of tcpdump() works for you?  Does it work with the filter?
Maybe a libpcap bug?

Carter


On Sep 28, 2010, at 9:42 AM, Nate Hausrath wrote:

> Running tcpdump is able to capture packets.  Good suggestion though. :)
> 
> To respond to Carter:
> 
> I think I figured out what the problem is.  It appears to be the "- ip" at the end.  For example I ran the following tests:
> 
> /usr/local/sbin/argus -D10 -X -i bond0 -w /var/log/argus/argus.log.test.1
> (Tons of debug messages, but this is wear I noticed data was actually being analyzed and written to the output file.)
> /usr/local/sbin/argus -X -i bond0 -w /var/log/argus/argus.log.test.2 - ip
> /usr/local/sbin/argus -X -i bond0 -w /var/log/argus/argus.log.test.3
> 
> Here are the resulting file sizes:
> 
> # ls -l /var/log/argus/argus.log.test*
> -rw-r--r-- 1 root root   31232 2010-09-27 16:20 /var/log/argus/argus.log.test
> -rw-r--r-- 1 root root     640 2010-09-28 09:35 /var/log/argus/argus.log.test.2
> -rw-r--r-- 1 root root 2713188 2010-09-28 09:36 /var/log/argus/argus.log.test.3
> 
> When I use ra to check for traffic on the 1st and 3rd tests, it works!
> 
> Any ideas why the "- ip" is causing this?  I can post the D10 output if necessary.
> 
> Thanks,
> Nate
> 
> On Sep 27, 2010, at 7:30 PM, Peter Van Epp wrote:
> 
>> On Mon, Sep 27, 2010 at 05:22:49PM -0400, Carter Bullard wrote:
>>> Well, you definitely aren't getting any packets here.  Increase the debug level to 10, and
>>> we'll see the result of the select() calls on the bond0 interface.
>>> 
>>> Also don't use the -F /etc/argus.conf.  That is causing you to read the conf twice.
>>> Instead, run it this way:
>>> 
>>>  /usr/local/sbin/argus -X -D10 -i bond0
>>> 
>>> The '-X' will nullify anything that was in the /etc/argus.conf file. 
>>> Very curious.
>>> 
>>> Carter
>>> 
>> 
>> 	Trying 
>> 
>> tcpdump -i bond0
>> 
>> on the machine (if you haven't already) would also be a good bet to see if the
>> problem is before argus (which seems somewhat likely). If tcpdump shows no 
>> output there is a problem somwhere in pcap not argus. 
>> 
>> Peter Van Epp
> 
> 

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100928/151a5567/attachment.bin>

More information about the argus mailing list