Argus with bonded interface

Carter Bullard carter at qosient.com
Tue Sep 28 10:54:58 EDT 2010 

Hey Nate,
No problem.  I normally don't use input filters for argus.  I'm generally
interested in processing everything, so I can have complete awareness
of the network (protocols, addrs, etc....) and if I'm interested in a subset of
traffic, I'll do the filtering on the flow records.

If you need argus to do something different for the filter, like add whatever
functionality the '-n vlan' provides, send email to the list.

Carter

On Sep 28, 2010, at 10:49 AM, Nate Hausrath wrote:

> Well, you learn something new every day.  That was it.
> 
> Thank you all for your help!
> 
> -Nate
> 
> On Sep 28, 2010, at 10:36 AM, Corey Smith wrote:
> 
>> I'm guessing your are using a vlan tagged SPAN (802.1Q).  Try:
>> 
>> # tcpdump -i bond0 -n vlan
>> 
>> -Corey Smith
>> 
>> -----Original Message-----
>> From: Nate Hausrath <hausrath.mailing.list at gmail.com>
>> To: Carter Bullard <carter at qosient.com>
>> Cc: argus-info at lists.andrew.cmu.edu <argus-info at lists.andrew.cmu.edu>
>> Subject: Re: [ARGUS] Argus with bonded interface
>> Date: Tue, 28 Sep 2010 10:07:18 -0400
>> 
>> Hmm, it does look like the filter has a problem with tcpdump as well.
>> 
>> # tcpdump --version
>> tcpdump version 4.0.0
>> libpcap version 1.0.0
>> 
>> # tcpdump -i bond0
>> tcpdump: WARNING: bond0: no IPv4 address assigned
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on bond0, link-type EN10MB (Ethernet), capture size 96 bytes
>> *** Data Here ***
>> ^C
>> 17 packets captured
>> 8097 packets received by filter
>> 
>> # tcpdump -i bond0 ip
>> tcpdump: WARNING: bond0: no IPv4 address assigned
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on bond0, link-type EN10MB (Ethernet), capture size 96 bytes
>> ^C
>> 0 packets captured
>> 42 packets received by filter
>> 0 packets dropped by kernel
>> 
>> -Nate
>> 
>> On Sep 28, 2010, at 9:58 AM, Carter Bullard wrote:
>> 
>>> Hmmmmm,
>>> The filter you pass to argus, is compiled and processed just like the filter
>>> given to tcpdump(), so it should work just as well as tcpdump() does with the filter.
>>> pcap_compile() and pcap_setfilter(), on the pcapfd that is returned from the
>>> pcap_open_*().
>>> 
>>> What version of tcpdump() works for you?  Does it work with the filter?
>>> Maybe a libpcap bug?
>>> 
>>> Carter
>>> 
>>> 
>>> On Sep 28, 2010, at 9:42 AM, Nate Hausrath wrote:
>>> 
>>>> Running tcpdump is able to capture packets.  Good suggestion though. :)
>>>> 
>>>> To respond to Carter:
>>>> 
>>>> I think I figured out what the problem is.  It appears to be the "- ip" at the end.  For example I ran the following tests:
>>>> 
>>>> /usr/local/sbin/argus -D10 -X -i bond0 -w /var/log/argus/argus.log.test.1
>>>> (Tons of debug messages, but this is wear I noticed data was actually being analyzed and written to the output file.)
>>>> /usr/local/sbin/argus -X -i bond0 -w /var/log/argus/argus.log.test.2 - ip
>>>> /usr/local/sbin/argus -X -i bond0 -w /var/log/argus/argus.log.test.3
>>>> 
>>>> Here are the resulting file sizes:
>>>> 
>>>> # ls -l /var/log/argus/argus.log.test*
>>>> -rw-r--r-- 1 root root   31232 2010-09-27 16:20 /var/log/argus/argus.log.test
>>>> -rw-r--r-- 1 root root     640 2010-09-28 09:35 /var/log/argus/argus.log.test.2
>>>> -rw-r--r-- 1 root root 2713188 2010-09-28 09:36 /var/log/argus/argus.log.test.3
>>>> 
>>>> When I use ra to check for traffic on the 1st and 3rd tests, it works!
>>>> 
>>>> Any ideas why the "- ip" is causing this?  I can post the D10 output if necessary.
>>>> 
>>>> Thanks,
>>>> Nate
>>>> 
>>>> On Sep 27, 2010, at 7:30 PM, Peter Van Epp wrote:
>>>> 
>>>>> On Mon, Sep 27, 2010 at 05:22:49PM -0400, Carter Bullard wrote:
>>>>>> Well, you definitely aren't getting any packets here.  Increase the debug level to 10, and
>>>>>> we'll see the result of the select() calls on the bond0 interface.
>>>>>> 
>>>>>> Also don't use the -F /etc/argus.conf.  That is causing you to read the conf twice.
>>>>>> Instead, run it this way:
>>>>>> 
>>>>>> /usr/local/sbin/argus -X -D10 -i bond0
>>>>>> 
>>>>>> The '-X' will nullify anything that was in the /etc/argus.conf file. 
>>>>>> Very curious.
>>>>>> 
>>>>>> Carter
>>>>>> 
>>>>> 
>>>>> 	Trying 
>>>>> 
>>>>> tcpdump -i bond0
>>>>> 
>>>>> on the machine (if you haven't already) would also be a good bet to see if the
>>>>> problem is before argus (which seems somewhat likely). If tcpdump shows no 
>>>>> output there is a problem somwhere in pcap not argus. 
>>>>> 
>>>>> Peter Van Epp
>>>> 
>>>> 
>>> 
>>> Carter Bullard
>>> CEO/President
>>> QoSient, LLC
>>> 150 E 57th Street Suite 12D
>>> New York, New York  10022
>>> 
>>> +1 212 588-9133 Phone
>>> +1 212 588-9134 Fax
>>> 
>>> 
>>> 
>> 
>> 
>> 
> 
> 

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100928/ae39074b/attachment.bin>

More information about the argus mailing list