Full packet capture, missing something obvious.

Jeffrey Everling jeffrey.everling at surfnet.nl
Fri Jun 15 11:16:34 EDT 2012


Dear Carter

Thank you very much for the quick reply. I will consider updating to
3.0.6.1 soon.

Keep up the good work.

-- 
Kindly regards,


Jeffrey Everling
SURFnet B.V.

On 15-6-2012 3:35 PM, Carter Bullard wrote:
> Hey Jeffrey,
> Yes, this is a bug.  It fell through the cracks as I was trying to get argus-3.0.6 out.
> You should use argus-3.0.6, there is a patched version 3.0.6.1 that I'll announce
> today, which has this fix in it, and a number of other fixes, in place (memory leaks
> and deadlock issues when congested).   The testing argus-3.0.6.1.tar.gz on the
> development server, does have this patch, as of 9:30 AM today, and the patch file
> for argus-3.0.6 -> argus-3.0.6.1 has it as well).
> 
>    http://qosient.com/argus/dev/argus-latest.tar.gz
> 
> If you want to patch by hand, add this one line patch to your ./argus/ArgusSource.c file,
> to line 127, in the routine ArgusCloneSource():
> 
> thoth:argus carter$ p4 diff ArgusSource.c
> ==== //depot/argus-3.0.6/argus/argus/ArgusSource.c#1 - /Volumes/Users/carter/argus/release/argus-3.0.6/argus/argus/ArgusSource.c ====
> 127a128,129
>>    retn->ArgusDumpPacket = src->ArgusDumpPacket;
>>
> 
> Sorry for the foible (sp?) !!!  If you have any problems, don't hesitate to holler and
> thanks for the bug report !!!!!!!!!
> 
> Carter 
> 
> 
> 
> On Jun 15, 2012, at 6:30 AM, Jeffrey Everling wrote:
> 
>> Dear Carter
>>
>> A while ago I followed the following tutorial:
>> http://www.team-cymru.org/Services/darknets.html
>>
>> With their sample config I was able to get a separate file for the pcap.
>>
>> But now I am installing a fresh FreeBSD 9.0 system with argus 3.04
>> (tried 3.06 but did not help), but no matter what I try the packet
>> capture file isn't showing up.
>>
>> In my config I use these settings. Am I missing something or am I doing
>> something wrong here? I tried removing the settings with a * behind them
>> without results.
>>
>> ARGUS_DAEMON=yes
>> ARGUS_MONITOR_ID=5
>> ARGUS_ACCESS_PORT=2002
>> ARGUS_INTERFACE=bge1
>> ARGUS_OUTPUT_FILE=/var/log/argus/argus-id5-log
>> ARGUS_SET_PID=yes
>> ARGUS_GO_PROMISCUOUS=yes
>> ARGUS_FLOW_STATUS_INTERVAL=5
>> ARGUS_MAR_STATUS_INTERVAL=60
>> ARGUS_GENERATE_RESPONSE_TIME_DATA=yes *
>> ARGUS_GENERATE_JITTER_DATA=yes *
>> ARGUS_GENERATE_MAC_DATA=no
>> ARGUS_CAPTURE_DATA_LEN=1518 *
>> ARGUS_FILTER_OPTIMIZER=yes
>> ARGUS_FILTER="" *
>> ARGUS_PACKET_CAPTURE_FILE=/var/log/argus/argus-id5-tcpdump
>>
>> I've also tried to use tcpdump and this works, so I really am receiving
>> data.
>>
>> Maybe you can point me in the right direction.
>>
>> Greeting Jeffrey Everling
>>
>>
>> On 23-12-2011 10:14 PM, Carter Bullard wrote:
>>> Hey Jesse,
>>> I think your response is just a little off target.  By setting the packet output file option in the argus.conf file, you're telling argus to write out packets.  
>>> Without any other configurations, argus will write out all packets into the file.  You can rename the output file, or delete it, and argus will detect the file has gone and it will start another one.
>>>
>>> By setting the capture on error variable, argus will only capture packets where argus could not process the packet.
>>>
>>> When this works you should get at file created, and rhen packets should show up.  I need to test this, it seems.
>>>
>>> Carter
>>>
>>>
>>> Carter Bullard, QoSient, LLC
>>> 150 E. 57th Street Suite 12D
>>> New York, New York 10022
>>> +1 212 588-9133 Phone
>>> +1 212 588-9134 Fax
>>>
>>> On Dec 22, 2011, at 7:51 PM, Jesse Bowling <jesseb at uga.edu> wrote:
>>>
>>>> On 12/22/11 5:34 PM, Scott McIntyre wrote:
>>>>> Hi,
>>>>>
>>>>> I've enabled, I think, full packet capture in Argus, however, the
>>>>> packet.out file, whilst created, remains empty.
>>>>>
>>>>> Short of uncommenting
>>>>> the ARGUS_PACKET_CAPTURE_FILE="/log/argus/packet.out" line, is there
>>>>
>>>> I believe this file is only used in conjunction with the
>>>> ARGUS_PACKET_CAPTURE_ON_ERROR setting...You probably want:
>>>>
>>>> ARGUS_CAPTURE_DATA_LEN=512 #set to number of bytes you want to capture
>>>>
>>>> This will capture the first 512 bytes of the content/user data in a
>>>> stream and keep it in with the rest of the flow data...You can then view
>>>> it with ra, for instance:
>>>>
>>>> # ra -r ra_capture_file -M dsrs=time,flow,metric,suser,duser -s
>>>> +suser:512 +duser:512 - tcp and port 80
>>>>
>>>> This will show the first 512 bytes of the data from the source and
>>>> destination...Be warned that capturing user data adds quite a bit of
>>>> processing, which may or may not make a difference in packet drops
>>>> depending on your setup.
>>>>
>>>> Hope that helps,
>>>>
>>>> Jesse
>>>>
>>>>> (this is with the -latest client and server)
>>>>>
>>>>> My thanks,
>>>>>
>>>>> Scott
>>>>>
>>>>
>>>> -- 
>>>> Jesse Bowling
>>>> Security Architect::Office of Information Security::UGA
>>>> jesseb at uga dot edu::706-542-2127
>>>>
>>>
>>
>>
>> -- 
>> Met vriendelijke groet,
>>
>>
>> Jeffrey Everling
>> SURFnet B.V.
> 




More information about the argus mailing list