Endance DAG 8.1 and Argus problem

Leif Tishendorf ltishend at gmail.com
Tue Feb 15 17:21:53 EST 2011


Carter,

I should probably start a different thread for this but it's the same 
system as the 3.0.3.22 issue and didn't want to clutter things up too 
much.  I just recently installed 3.0.2 on this same box, and originally 
I thought it was functioning normally. However, after more testing I've 
noticed there are a couple issues and was wondering if you had any 
suggestions.

1.  I have 6 load balanced streams to break up the traffic on a Dag 8.1 
card and an argus process on each.  Over time the argus processes will 
exit without error.

2.  Time stamps over time get exteremely skewed (like it starts out 
puting year ranges from 1912 to 2057).  This seems to be worse with 
higher load.  Currently each process is running at about 20% CPU or less 
(8 core, 16 hyper-threaded).  I have Snort, nTop and tcpdump running on 
other streams and they don't experience the time skew issue.

Ideally I'd rather be using the 3.0.3.22(3.0.4 when it's released) to 
take advantage of it's multiple interface handling and multi-core 
support and not do over much trouble shooting on an older code base. 
Anything I can test/try, information I can provide I'd be happy to do so.

Thanks,

--Leif

On 02/14/2011 12:31 PM, Carter Bullard wrote:
> Hey Leif,
> It could be a bug.  Argus has run on many versions of the dag, but I don't test
> each dev release against dag's as I don't have access any longer.
>
> The easiest test is to make sure tcpdump gets packets from that interface.  If
> so, then running argus with the "-D debugLevel" option will give us some detail
> printing on what is happening.
>
> Try with "-D 6" to start, and if that doesn't help, increase to get more info, and don't run
> in daemon mode.
>
> Be sure and put the "-D 6" as the first option, so you get debug printing for parsing the
> command line options, etc......
>
> To compile debug support into argus, in the argus distribution directory:
>     % touch .debug
>     % ./configure
>     % make clean
>     % make
>
> Carter
>
> On Feb 14, 2011, at 3:15 PM, Leif Tishendorf wrote:
>
>> Hello all,
>>
>> I'm running an Endance Dag 8.1 card and I'm having difficulty getting Argus to work with it.  I've compiled Argus 3.0.3.22 against the Dag enabled libpcap files and Argus will run if I set it to eth0, which is the management interface, but if I set it to a dag stream, e.g. ARGUS_INTERFACE=dag0:8, the daemon says it starts, and prints to syslog that it starts, but it doesn't actually start.
>>
>> I was wondering if anyone may have had a similar issue and be able to offer some pointers.
>>
>> Thanks,
>>
>> --Leif
>>
>

-- 
--Leif



More information about the argus mailing list