Argus fails to start with ARGUS_INTERFACE=ind:all

Carter Bullard carter at qosient.com
Mon May 23 10:37:51 EDT 2011 

Hey Harry,
We don't use socket(PF_INET,SOCK_PACKET) in argus, so not sure where this problem may be.
Now that I'm looking at the code, we use AF_INET for a socket call, which most OS's don't mind, but
if centos is persnickety, try this patch:

thoth:argus carter$ p4 diff ...
==== //depot/argus/argus/argus/ArgusSource.c#86 - /Users/carter/argus/argus/argus/ArgusSource.c ====
3666c3666
<       if ((ArgusGetInterfaceFD = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
---
>       if ((ArgusGetInterfaceFD = socket(PF_INET, SOCK_DGRAM, 0)) < 0)

To see if that doesn't help.  If not, we'll have to find out what call we're in when the error is generated
to figure out if it's argus() or possibly,  libpcap().

Carter


On May 23, 2011, at 10:19 AM, Harry Hoffman wrote:

> Hi,
> 
> I've downloaded the latest argus (3.0.5.3) and I'm trying to run with:
> ARGUS_INTERFACE=ind:all
> 
> And I'm getting the following error messages:
> May 23 10:02:20 usher argus[25730]: 23 May 11 10:02:20.195237 started
> May 23 10:02:20 usher argus[25730]: 23 May 11 10:02:20.214626 started
> May 23 10:02:20 usher kernel: argus uses obsolete (PF_INET,SOCK_PACKET)
> May 23 10:02:20 usher argus[25730]: 23 May 11 10:02:20.229757
> ArgusOpenInterface: pcap_open_live socket: Operation not permitted
> May 23 10:02:20 usher argus[25730]: 23 May 11 10:02:20.237115
> ArgusOpenInterface: pcap_open_live socket: Operation not permitted
> May 23 10:02:20 usher argus[25730]: 23 May 11 10:02:20.242792
> ArgusOpenInterface: pcap_open_live socket: Operation not permitted
> 
> 
> If I run with ARGUS_INTERFACE=any then argus starts up right away (and seems
> to use eth0).
> 
> I've got the following live interfaces:
> Eth0 (ethernet)
> Eth1 (ethernet)
> Lo (loopback)
> Sit1 (ipv6-ipv4)
> 
> I'm running centos-5.6 x86_64. I'm happy to provide any other information.
> 
> Cheers,
> Harry
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110523/7518d21a/attachment.bin>

More information about the argus mailing list