Argus with bonded interface

Nate Hausrath hausrath.mailing.list at gmail.com
Tue Sep 28 10:49:06 EDT 2010 

Well, you learn something new every day.  That was it.

Thank you all for your help!

-Nate

On Sep 28, 2010, at 10:36 AM, Corey Smith wrote:

> I'm guessing your are using a vlan tagged SPAN (802.1Q).  Try:
> 
> # tcpdump -i bond0 -n vlan
> 
> -Corey Smith
> 
> -----Original Message-----
> From: Nate Hausrath <hausrath.mailing.list at gmail.com>
> To: Carter Bullard <carter at qosient.com>
> Cc: argus-info at lists.andrew.cmu.edu <argus-info at lists.andrew.cmu.edu>
> Subject: Re: [ARGUS] Argus with bonded interface
> Date: Tue, 28 Sep 2010 10:07:18 -0400
> 
> Hmm, it does look like the filter has a problem with tcpdump as well.
> 
> # tcpdump --version
> tcpdump version 4.0.0
> libpcap version 1.0.0
> 
> # tcpdump -i bond0
> tcpdump: WARNING: bond0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on bond0, link-type EN10MB (Ethernet), capture size 96 bytes
> *** Data Here ***
> ^C
> 17 packets captured
> 8097 packets received by filter
> 
> # tcpdump -i bond0 ip
> tcpdump: WARNING: bond0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on bond0, link-type EN10MB (Ethernet), capture size 96 bytes
> ^C
> 0 packets captured
> 42 packets received by filter
> 0 packets dropped by kernel
> 
> -Nate
> 
> On Sep 28, 2010, at 9:58 AM, Carter Bullard wrote:
> 
>> Hmmmmm,
>> The filter you pass to argus, is compiled and processed just like the filter
>> given to tcpdump(), so it should work just as well as tcpdump() does with the filter.
>> pcap_compile() and pcap_setfilter(), on the pcapfd that is returned from the
>> pcap_open_*().
>> 
>> What version of tcpdump() works for you?  Does it work with the filter?
>> Maybe a libpcap bug?
>> 
>> Carter
>> 
>> 
>> On Sep 28, 2010, at 9:42 AM, Nate Hausrath wrote:
>> 
>>> Running tcpdump is able to capture packets.  Good suggestion though. :)
>>> 
>>> To respond to Carter:
>>> 
>>> I think I figured out what the problem is.  It appears to be the "- ip" at the end.  For example I ran the following tests:
>>> 
>>> /usr/local/sbin/argus -D10 -X -i bond0 -w /var/log/argus/argus.log.test.1
>>> (Tons of debug messages, but this is wear I noticed data was actually being analyzed and written to the output file.)
>>> /usr/local/sbin/argus -X -i bond0 -w /var/log/argus/argus.log.test.2 - ip
>>> /usr/local/sbin/argus -X -i bond0 -w /var/log/argus/argus.log.test.3
>>> 
>>> Here are the resulting file sizes:
>>> 
>>> # ls -l /var/log/argus/argus.log.test*
>>> -rw-r--r-- 1 root root   31232 2010-09-27 16:20 /var/log/argus/argus.log.test
>>> -rw-r--r-- 1 root root     640 2010-09-28 09:35 /var/log/argus/argus.log.test.2
>>> -rw-r--r-- 1 root root 2713188 2010-09-28 09:36 /var/log/argus/argus.log.test.3
>>> 
>>> When I use ra to check for traffic on the 1st and 3rd tests, it works!
>>> 
>>> Any ideas why the "- ip" is causing this?  I can post the D10 output if necessary.
>>> 
>>> Thanks,
>>> Nate
>>> 
>>> On Sep 27, 2010, at 7:30 PM, Peter Van Epp wrote:
>>> 
>>>> On Mon, Sep 27, 2010 at 05:22:49PM -0400, Carter Bullard wrote:
>>>>> Well, you definitely aren't getting any packets here.  Increase the debug level to 10, and
>>>>> we'll see the result of the select() calls on the bond0 interface.
>>>>> 
>>>>> Also don't use the -F /etc/argus.conf.  That is causing you to read the conf twice.
>>>>> Instead, run it this way:
>>>>> 
>>>>> /usr/local/sbin/argus -X -D10 -i bond0
>>>>> 
>>>>> The '-X' will nullify anything that was in the /etc/argus.conf file. 
>>>>> Very curious.
>>>>> 
>>>>> Carter
>>>>> 
>>>> 
>>>> 	Trying 
>>>> 
>>>> tcpdump -i bond0
>>>> 
>>>> on the machine (if you haven't already) would also be a good bet to see if the
>>>> problem is before argus (which seems somewhat likely). If tcpdump shows no 
>>>> output there is a problem somwhere in pcap not argus. 
>>>> 
>>>> Peter Van Epp
>>> 
>>> 
>> 
>> Carter Bullard
>> CEO/President
>> QoSient, LLC
>> 150 E 57th Street Suite 12D
>> New York, New York  10022
>> 
>> +1 212 588-9133 Phone
>> +1 212 588-9134 Fax
>> 
>> 
>> 
> 
> 
>

More information about the argus mailing list