Full packet capture, missing something obvious.
Scott A. McIntyre
s.a.mcintyre at gmail.com
Thu Dec 22 22:43:21 EST 2011
John Gerth wrote:
> If the goal is full packet capture in addition to argus, I'm wondering if it would actually
> be any more expensive to just run the argus and tcpdump independently rather than using
> the two fifo setup with all the context swithces that implies for its two extra processes.
> (Of course, it's writing the packets to disk that usually kills ya)
>
>
Yeah, sorry, I forgot to reply-all on the earlier conversation with Jesse.
The current setup indeed has two separate processes. I was just hoping
to simplify life a bit and have the argus filter *also* cover packet
capture. I hadn't ever really explored this option, but the fact that
the packet.out file is created, and no contents appear, is still a
mystery -- regardless of whether or not it's capturing full packets as I
was hoping.
The capture length is respected fine for the actual Argus data records
though.
Scott
More information about the argus
mailing list