Argus 3.0.6 and dnaclusters
Chris Wakelin
c.d.wakelin at reading.ac.uk
Thu Dec 13 04:17:33 EST 2012
It's a one line change I'm using in Argus 3.0.7.1 (I also added a check
for eth1 at 0 and similar as used by the vanilla Intel driver with
multiqueue support):
--- ArgusSource.c.orig 2012-07-20 04:00:14.000000000 +0100
+++ ArgusSource.c 2012-10-14 22:31:05.098932043 +0100
@@ -4183,7 +4183,7 @@
if (device == NULL)
return;
- if (strstr(device->name, "dag")) {
+ if (strstr(device->name, "dag") || strstr(device->name, "nap") ||
strstr(device->name, "dna") || (strstr(device->name, "eth") &&
strstr(device->name, "@"))) { /*CDW* add "dna" */
for (i = 0; i < src->ArgusInterfaces; i++) {
if (src->ArgusInterface[i].ArgusPd &&
(pcap_fileno(src->ArgusInterface[i].ArgusPd) > 0))
bzero ((char *)&src->ArgusInterface[i].ifr, sizeof(ifr));
It's almost identical for Argus 3.0.6.1 except "nap" has been added already.
You will still see Argus use 100% of CPU (as I said in the PF_RING
thread); the problem seems to be that in PF_RING DNA + libzero, the
select() call returns immediately without waiting for packets. I never
managed to work around this, but I have 16 real cores, and I just make
sure ARGUS gets its own one :)
It seems to capture traffic OK (at least on the main campus network link
which has 8 queues duplicated and sent to Suricata and Bro IDS; the
student network link seems to lose packets though, with Suricata using
15 queues and no Bro).
Alfredo of PF_RING has said in the past that a fix is on the todo list!
BTW you should also be able to abbreviate the interface name to "dnacl"
instead of "dnacluster" if you have a recent PF_RING.
Best Wishes,
Chris
On 13/12/12 01:37, Craig Merchant wrote:
> I saw this thread about how to run Argus using PF_RING DNA/libzero:
>
> http://comments.gmane.org/gmane.network.argus/8608
>
> When I looked the ArgusSource.c file, it looks like the logic for detecting the devices has changed.
>
> If I compile argus with the native files and start it with -i dnacluster:10 at 18, it doesn't start.
>
> I tried copying the logic for a "dag" adapter and changed it to "dna" since the physical interface shows up as dna0:
>
> if (strstr(device->name, "dna")) {
> for (i = 0; i < src->ArgusInterfaces; i++) {
> if (src->ArgusInterface[i].ArgusPd && (pcap_fileno(src->ArgusInterface[i].ArgusPd) > 0))
> bzero ((char *)&src->ArgusInterface[i].ifr, sizeof(ifr));
>
> src->ArgusInterface[i].ifr.ifr_flags |= IFF_UP;
> setArgusInterfaceStatus(src, 1);
> }
> return;
> }
>
> Argus compiled with that setting is able to start, but it runs at 100% CPU and doesn't display any traffic.
>
> I can do tcpdump -i dnacluster:10 at 18 and see traffic from pfdnacluster_master, so that libzero interface is available.
>
> How can I adjust that file so Argus can use a dnacluster:X at Y interface? It doesn't need to put the interface into promiscuous mode or anything like that. I'm not a developer at all...
>
> Thx.
>
> Craig
>
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
More information about the argus
mailing list