Argus w/ napatech libpcap
Aleksander
aleksander.funes at gmail.com
Wed Jun 20 00:45:42 EDT 2012
Over the past few days I have been working with a Napatech 1G card.
For the most part I’ve been successful at getting the card to create
virtual interfaces and sniff traffic with tcpdump and snort. However,
I’ve not been able to figure out why Argus is not able to process
packets from the Napatech virtual interface… Argus appears to run
without crashing (non-demon mode), but I’m not able to generate any
flows. If I capture packets with tcpdump, and later read the pcap
with Argus, I am able to generate flows. Any hints or assistance you
can provide would be greatly appreciated.
Environment:
RHEL 6.2 x86_64
Vendor modified libpcap-1.1.1
Argus v3.0.6.1
Here’s how I’ve compiled argus: $ ./configure –with-libpcap=/opt/vendordir
This debug entry seems interesting, but I’m not sure what to do next:
“ArgusGetPackets: no interfaces up: sleeping
$ ./argus -D 6 -i nap2 -w /tmp/out.argus
Argus debugging output:
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050054 ArgusCalloc
(1, 3144) returning 0x9d1010
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050173
ArgusNewModeler() returning 0x9d1010
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050191 ArgusCalloc
(1, 4237248) returning 0x7f6376fae010
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050204
ArgusNewSource(0x9d1010) returning 0x7f6376fae010
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050217 ArgusCalloc
(1, 312) returning 0x9d1d40
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050229 ArgusCalloc
(1, 152) returning 0x9d27b0
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050237 ArgusNewQueue
() returning 0x9d27b0
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050247 ArgusCalloc
(1, 152) returning 0x9d2850
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050255 ArgusNewList
() returning 0x9d2850
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050263 ArgusCalloc
(1, 152) returning 0x9d28f0
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050270 ArgusNewList
() returning 0x9d28f0
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050277
ArgusNewOutput() returning retn 0x9d1d40
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050294
setArgusMarReportInterval(60) returning
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050326
clearArgusDevice(0x7f6376fae010) returning
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050341 ArgusCalloc
(1, 152) returning 0x9d2990
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050349 ArgusNewList
() returning 0x9d2990
argus[16918]: NT_Init: shmem_hbseg_fifo: expected signature:
version=17236 magic=2a0102a2 size=4644880
argus[16918]: NT_Init: shmem_hbseg_fifo: actual signature..:
version=17236 magic=2a0102a2 size=4644880
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.508215 ArgusCalloc
(1, 64) returning 0x9d31a0
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.508239
ArgusPushFrontList (0x9d2990, 0x9d31a0, 1) returning 0x4216
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.508258
setArgusDevice(nap2 ) returning
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.508272
ArgusDeleteList ((nil), 2) returning
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.508282 ArgusCalloc
(1, 152) returning 0x9d3210
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.508290 ArgusNewList
() returning 0x9d3210
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.508298 ArgusCalloc
(1, 24) returning 0x9d1ea0
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.508306
ArgusPushFrontList (0x9d3210, 0x9d1ea0, 1) returning 0x4216
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.508315
setArgusInterfaceStatus(0x7f6376fae010, 1)
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.508792 ArgusCalloc
(1, 592056) returning 0xbdaf90
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520375 ArgusCalloc
(1, 128) returning 0xd14270
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520405
ArgusGenerateInitialMar() returning
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520415 ArgusCalloc
(1, 168) returning 0xd14300
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520529 ArgusCalloc
(1, 262256) returning 0xd143b0
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520539 ArgusCalloc
(1, 152) returning 0xd54430
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520547 ArgusNewList
() returning 0xd54430
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520556
ArgusNewSocket (8) returning 0xd143b0
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520596
ArgusPushBackList (0x9d3210, 0x9d1ea0, 1) returning 1
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520606
ArgusDeleteList (0x9d3210, 2) 1 items on list
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520614 ArgusFree (0x9d1ea0)
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520627 ArgusFree (0x9d3210)
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520635
ArgusDeleteList (0x9d3210, 2) returning
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520705 ArgusInitOutput() done
argus[16918.00e7df2f637f0000]: 19 Jun 12 23:19:24.520728
ArgusOutputProcess(0x9d1d40) starting
argus[16918]: .520733 started
argus[16918.00e7df2f637f0000]: 19 Jun 12 23:19:24.520763
ArgusOutputProcess() looping
argus[16918.00e7df2f637f0000]: 19 Jun 12 23:19:24.520774
ArgusOutputProcess() waiting for input list
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520788 ArgusCalloc
(1, 4237248) returning 0x7f632eff3010
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520801 ArgusCalloc
(1, 152) returning 0x9d3210
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520809 ArgusNewList
() returning 0x9d3210
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520829
ArgusCloneSource(0x7f6376fae010) returning 0x7f632eff3010
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520838
clearArgusDevice(0x7f632eff3010) returning
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520846
ArgusPushBackList (0x9d3210, 0x9d31a0, 1) returning 1
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.524599
ArgusOpenInterface() pcap_open_live(nap2) returned 0xd54610
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526650
Arguslookup_pcap_callback(1) returning 0x4170e5
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526661
ArgusOpenInterface(0x7f632eff3010, 'nap2') returning 1
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526670
ArgusPushBackList (0x9d3210, 0x9d31a0, 1) returning 1
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526728 ArgusCalloc
(1, 3144) returning 0xd54970
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526744 ArgusCalloc
(1, 64) returning 0xd555c0
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526858 ArgusCalloc
(65536, 8) returning 0xd55610
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526867
ArgusNewHashTable (65536) returning 0xd555c0
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526875 ArgusCalloc
(1, 104) returning 0xdd5620
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526883 ArgusCalloc
(1, 152) returning 0xdd5690
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526890 ArgusNewQueue
() returning 0xdd5690
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526897 ArgusCalloc
(1, 152) returning 0xdd5730
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526905 ArgusNewQueue
() returning 0xdd5730
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526912 ArgusCalloc
(1, 112) returning 0xdd57d0
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526920 ArgusCalloc
(1, 40) returning 0xdd5850
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526928 ArgusCalloc
(1, 80) returning 0xdd5880
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526936 ArgusCalloc
(1, 1096) returning 0xdd58e0
<repeats 8 times>
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.527017 ArgusCalloc
(1, 1096) returning 0xdd7fb0
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.527026 ArgusCalloc
(1, 1096) returning 0xdd8400
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.527033 ArgusCalloc
(1, 1096) returning 0xdd8850
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.527044 ArgusCalloc
(1, 1096) returning 0xdd8ca0
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.527053 ArgusCalloc
(1, 1096) returning 0xdd90f0
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.527061 ArgusCalloc
(1, 1096) returning 0xdd9540
<repeats 5 times>
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.527109 ArgusCalloc
(1, 1096) returning 0xddaad0
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.527117
ArgusInitMallocList (1048) returning
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.527124
ArgusInitModeler(0xd54970) done
argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.527132
ArgusInitSource(0x7f632eff3010) returning 1
argus[16918.0027ff2e637f0000]: 19 Jun 12 23:19:24.527192
ArgusGetPackets (0x7f632eff3010) starting
argus[16918.0027ff2e637f0000]: 19 Jun 12 23:19:24.527214
ArgusPushFrontList (0x9d3210, 0x9d31a0, 1) returning 0x421f
argus[16918.0027ff2e637f0000]: 19 Jun 12 23:19:24.527251
setArgusInterfaceStatus(0x7f632eff3010, 0)
argus[16918.0027ff2e637f0000]: 19 Jun 12 23:19:24.527263
ArgusGetPackets: no interfaces up: sleeping
argus[16918.00e7df2f637f0000]: 19 Jun 12 23:19:24.620843
ArgusOutputProcess() checking out clients
argus[16918.00e7df2f637f0000]: 19 Jun 12 23:19:24.620855
ArgusOutputProcess() done with clients
argus[16918.00e7df2f637f0000]: 19 Jun 12 23:19:24.620863
ArgusOutputProcess() looping
argus[16918.00e7df2f637f0000]: 19 Jun 12 23:19:24.620870
ArgusOutputProcess() waiting for input list
argus[16918.0027ff2e637f0000]: 19 Jun 12 23:19:24.677372
ArgusOpenInterface() pcap_open_live(nap2) returned 0x7f63280008c0
argus[16918.0027ff2e637f0000]: 19 Jun 12 23:19:24.679516
Arguslookup_pcap_callback(1) returning 0x4170e5
argus[16918.0027ff2e637f0000]: 19 Jun 12 23:19:24.679528
ArgusOpenInterface(0x7f632eff3010, 'nap2') returning 1
argus[16918.0027ff2e637f0000]: 19 Jun 12 23:19:24.679538
ArgusPushFrontList (0x9d3210, 0x9d31a0, 1) returning 0x421f
argus[16918.0027ff2e637f0000]: 19 Jun 12 23:19:24.679550
ArgusGetPackets: no interfaces up: sleeping
argus[16918.00e7df2f637f0000]: 19 Jun 12 23:19:24.720932
ArgusOutputProcess() checking out clients
argus[16918.00e7df2f637f0000]: 19 Jun 12 23:19:24.720942
ArgusOutputProcess() done with clients
argus[16918.00e7df2f637f0000]: 19 Jun 12 23:19:24.720950
ArgusOutputProcess() looping
<snip>
More information about the argus
mailing list