Full packet capture, missing something obvious.

[Carter Bullard]

Argus is suppose to be able to do this, using the capture packet options in the argua.conf file.  There are two reasons to do this.  The first is for debugging.  We write the packets to the dump file before argus processes them, so if a packet causes catestrophic problems, we'll have the errant packet in the file for debugging.   The second reason is a new feature to put the packet file byte offsets for the first and last packets into the flow record.  

Seems that the feature isn't working ?
Carter

Carter Bullard, QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

On Dec 22, 2011, at 10:43 PM, "Scott A. McIntyre" <s.a.mcintyre at gmail.com> wrote:

> 
> 
> John Gerth wrote:
>> If the goal is full packet capture in addition to argus, I'm wondering if it would actually
>> be any more expensive to just run the argus and tcpdump independently rather than using
>> the two fifo setup with all the context swithces that implies for its two extra processes.
>> (Of course, it's writing the packets to disk that usually kills ya)
>> 
>> 
> 
> 
> Yeah, sorry, I forgot to reply-all on the earlier conversation with Jesse.
> 
> The current setup indeed has two separate processes.  I was just hoping
> to simplify life a bit and have the argus filter *also* cover packet
> capture.  I hadn't ever really explored this option, but the fact that
> the packet.out file is created, and no contents appear, is still a
> mystery -- regardless of whether or not it's capturing full packets as I
> was hoping.
> 
> The capture length is respected fine for the actual Argus data records
> though.
> 
> Scott
>