Argus with bonded interface
Nate Hausrath
hausrath.mailing.list at gmail.com
Tue Sep 28 10:07:18 EDT 2010
Hmm, it does look like the filter has a problem with tcpdump as well.
# tcpdump --version
tcpdump version 4.0.0
libpcap version 1.0.0
# tcpdump -i bond0
tcpdump: WARNING: bond0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), capture size 96 bytes
*** Data Here ***
^C
17 packets captured
8097 packets received by filter
# tcpdump -i bond0 ip
tcpdump: WARNING: bond0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), capture size 96 bytes
^C
0 packets captured
42 packets received by filter
0 packets dropped by kernel
-Nate
On Sep 28, 2010, at 9:58 AM, Carter Bullard wrote:
> Hmmmmm,
> The filter you pass to argus, is compiled and processed just like the filter
> given to tcpdump(), so it should work just as well as tcpdump() does with the filter.
> pcap_compile() and pcap_setfilter(), on the pcapfd that is returned from the
> pcap_open_*().
>
> What version of tcpdump() works for you? Does it work with the filter?
> Maybe a libpcap bug?
>
> Carter
>
>
> On Sep 28, 2010, at 9:42 AM, Nate Hausrath wrote:
>
>> Running tcpdump is able to capture packets. Good suggestion though. :)
>>
>> To respond to Carter:
>>
>> I think I figured out what the problem is. It appears to be the "- ip" at the end. For example I ran the following tests:
>>
>> /usr/local/sbin/argus -D10 -X -i bond0 -w /var/log/argus/argus.log.test.1
>> (Tons of debug messages, but this is wear I noticed data was actually being analyzed and written to the output file.)
>> /usr/local/sbin/argus -X -i bond0 -w /var/log/argus/argus.log.test.2 - ip
>> /usr/local/sbin/argus -X -i bond0 -w /var/log/argus/argus.log.test.3
>>
>> Here are the resulting file sizes:
>>
>> # ls -l /var/log/argus/argus.log.test*
>> -rw-r--r-- 1 root root 31232 2010-09-27 16:20 /var/log/argus/argus.log.test
>> -rw-r--r-- 1 root root 640 2010-09-28 09:35 /var/log/argus/argus.log.test.2
>> -rw-r--r-- 1 root root 2713188 2010-09-28 09:36 /var/log/argus/argus.log.test.3
>>
>> When I use ra to check for traffic on the 1st and 3rd tests, it works!
>>
>> Any ideas why the "- ip" is causing this? I can post the D10 output if necessary.
>>
>> Thanks,
>> Nate
>>
>> On Sep 27, 2010, at 7:30 PM, Peter Van Epp wrote:
>>
>>> On Mon, Sep 27, 2010 at 05:22:49PM -0400, Carter Bullard wrote:
>>>> Well, you definitely aren't getting any packets here. Increase the debug level to 10, and
>>>> we'll see the result of the select() calls on the bond0 interface.
>>>>
>>>> Also don't use the -F /etc/argus.conf. That is causing you to read the conf twice.
>>>> Instead, run it this way:
>>>>
>>>> /usr/local/sbin/argus -X -D10 -i bond0
>>>>
>>>> The '-X' will nullify anything that was in the /etc/argus.conf file.
>>>> Very curious.
>>>>
>>>> Carter
>>>>
>>>
>>> Trying
>>>
>>> tcpdump -i bond0
>>>
>>> on the machine (if you haven't already) would also be a good bet to see if the
>>> problem is before argus (which seems somewhat likely). If tcpdump shows no
>>> output there is a problem somwhere in pcap not argus.
>>>
>>> Peter Van Epp
>>
>>
>
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E 57th Street Suite 12D
> New York, New York 10022
>
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
>
>
More information about the argus
mailing list