Argus w/ napatech libpcap

Carter Bullard carter at qosient.com
Wed Jun 20 09:14:36 EDT 2012


Hey Aleksander,
This debug message may be the one to pay attention to.
   argus[16918.0027ff2e637f0000]: 19 Jun 12 23:19:24.679550 ArgusGetPackets: no interfaces up: sleeping

If argus doesn't think any interfaces are up, it won't try to read any packets.
For DAG cards, we have to put in special code to fool it into thinking that the
interface is up.  We may have to do the same thing with Napatech cards.

Is this a new card ?

If you are willing to be a guinea pig, try adding this patch to ./argus/ArgusSource.c.

==== //depot/argus-3.0.6/argus/argus/ArgusSource.c#2 - /Volumes/Users/carter/argus/release/argus-3.0.6/argus/argus/ArgusSource.c ====
***************
*** 4182,4188 ****
     if (device == NULL)
        return;
  
!    if (strstr(device->name, "dag")) {
        for (i = 0; i < src->ArgusInterfaces; i++) {
           if (src->ArgusInterface[i].ArgusPd && (pcap_fileno(src->ArgusInterface[i].ArgusPd) > 0))
              bzero ((char *)&src->ArgusInterface[i].ifr, sizeof(ifr));
--- 4182,4188 ----
     if (device == NULL)
        return;
  
!    if (strstr(device->name, "dag") || strstr(device->name, "nap")) {
        for (i = 0; i < src->ArgusInterfaces; i++) {
           if (src->ArgusInterface[i].ArgusPd && (pcap_fileno(src->ArgusInterface[i].ArgusPd) > 0))
              bzero ((char *)&src->ArgusInterface[i].ifr, sizeof(ifr));

This should get you past the idle interface problem.
Send email if that helps, and I'll add it to the main code base.

Carter


On Jun 20, 2012, at 12:45 AM, Aleksander wrote:

> Over the past few days I have been working with a Napatech 1G card.
> For the most part I’ve been successful at getting the card to create
> virtual interfaces and sniff traffic with tcpdump and snort.  However,
> I’ve not been able to figure out why Argus is not able to process
> packets from the Napatech virtual interface…  Argus appears to run
> without crashing (non-demon mode), but I’m not able to generate any
> flows.  If I capture packets with tcpdump, and later read the pcap
> with Argus, I am able to generate flows.  Any hints or assistance you
> can provide would be greatly appreciated.
> 
> Environment:
> RHEL 6.2 x86_64
> Vendor modified libpcap-1.1.1
> Argus v3.0.6.1
> 
> Here’s how I’ve compiled argus:  $ ./configure –with-libpcap=/opt/vendordir
> 
> This debug entry seems interesting, but I’m not sure what to do next:
> “ArgusGetPackets: no interfaces up: sleeping
> 
> $ ./argus -D 6 -i nap2 -w /tmp/out.argus
> 
> Argus debugging output:
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050054 ArgusCalloc
> (1, 3144) returning 0x9d1010
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050173
> ArgusNewModeler() returning 0x9d1010
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050191 ArgusCalloc
> (1, 4237248) returning 0x7f6376fae010
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050204
> ArgusNewSource(0x9d1010) returning 0x7f6376fae010
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050217 ArgusCalloc
> (1, 312) returning 0x9d1d40
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050229 ArgusCalloc
> (1, 152) returning 0x9d27b0
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050237 ArgusNewQueue
> () returning 0x9d27b0
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050247 ArgusCalloc
> (1, 152) returning 0x9d2850
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050255 ArgusNewList
> () returning 0x9d2850
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050263 ArgusCalloc
> (1, 152) returning 0x9d28f0
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050270 ArgusNewList
> () returning 0x9d28f0
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050277
> ArgusNewOutput() returning retn 0x9d1d40
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050294
> setArgusMarReportInterval(60) returning
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050326
> clearArgusDevice(0x7f6376fae010) returning
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050341 ArgusCalloc
> (1, 152) returning 0x9d2990
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.050349 ArgusNewList
> () returning 0x9d2990
> 
> argus[16918]: NT_Init: shmem_hbseg_fifo: expected signature:
> version=17236 magic=2a0102a2 size=4644880
> 
> argus[16918]: NT_Init: shmem_hbseg_fifo: actual signature..:
> version=17236 magic=2a0102a2 size=4644880
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.508215 ArgusCalloc
> (1, 64) returning 0x9d31a0
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.508239
> ArgusPushFrontList (0x9d2990, 0x9d31a0, 1) returning 0x4216
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.508258
> setArgusDevice(nap2 ) returning
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.508272
> ArgusDeleteList ((nil), 2) returning
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.508282 ArgusCalloc
> (1, 152) returning 0x9d3210
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.508290 ArgusNewList
> () returning 0x9d3210
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.508298 ArgusCalloc
> (1, 24) returning 0x9d1ea0
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.508306
> ArgusPushFrontList (0x9d3210, 0x9d1ea0, 1) returning 0x4216
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.508315
> setArgusInterfaceStatus(0x7f6376fae010, 1)
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.508792 ArgusCalloc
> (1, 592056) returning 0xbdaf90
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520375 ArgusCalloc
> (1, 128) returning 0xd14270
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520405
> ArgusGenerateInitialMar() returning
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520415 ArgusCalloc
> (1, 168) returning 0xd14300
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520529 ArgusCalloc
> (1, 262256) returning 0xd143b0
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520539 ArgusCalloc
> (1, 152) returning 0xd54430
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520547 ArgusNewList
> () returning 0xd54430
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520556
> ArgusNewSocket (8) returning 0xd143b0
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520596
> ArgusPushBackList (0x9d3210, 0x9d1ea0, 1) returning 1
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520606
> ArgusDeleteList (0x9d3210, 2) 1 items on list
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520614 ArgusFree (0x9d1ea0)
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520627 ArgusFree (0x9d3210)
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520635
> ArgusDeleteList (0x9d3210, 2) returning
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520705 ArgusInitOutput() done
> 
> argus[16918.00e7df2f637f0000]: 19 Jun 12 23:19:24.520728
> ArgusOutputProcess(0x9d1d40) starting
> 
> argus[16918]: .520733 started
> 
> argus[16918.00e7df2f637f0000]: 19 Jun 12 23:19:24.520763
> ArgusOutputProcess() looping
> 
> argus[16918.00e7df2f637f0000]: 19 Jun 12 23:19:24.520774
> ArgusOutputProcess() waiting for input list
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520788 ArgusCalloc
> (1, 4237248) returning 0x7f632eff3010
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520801 ArgusCalloc
> (1, 152) returning 0x9d3210
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520809 ArgusNewList
> () returning 0x9d3210
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520829
> ArgusCloneSource(0x7f6376fae010) returning 0x7f632eff3010
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520838
> clearArgusDevice(0x7f632eff3010) returning
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.520846
> ArgusPushBackList (0x9d3210, 0x9d31a0, 1) returning 1
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.524599
> ArgusOpenInterface() pcap_open_live(nap2) returned 0xd54610
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526650
> Arguslookup_pcap_callback(1) returning 0x4170e5
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526661
> ArgusOpenInterface(0x7f632eff3010, 'nap2') returning 1
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526670
> ArgusPushBackList (0x9d3210, 0x9d31a0, 1) returning 1
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526728 ArgusCalloc
> (1, 3144) returning 0xd54970
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526744 ArgusCalloc
> (1, 64) returning 0xd555c0
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526858 ArgusCalloc
> (65536, 8) returning 0xd55610
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526867
> ArgusNewHashTable (65536) returning 0xd555c0
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526875 ArgusCalloc
> (1, 104) returning 0xdd5620
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526883 ArgusCalloc
> (1, 152) returning 0xdd5690
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526890 ArgusNewQueue
> () returning 0xdd5690
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526897 ArgusCalloc
> (1, 152) returning 0xdd5730
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526905 ArgusNewQueue
> () returning 0xdd5730
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526912 ArgusCalloc
> (1, 112) returning 0xdd57d0
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526920 ArgusCalloc
> (1, 40) returning 0xdd5850
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526928 ArgusCalloc
> (1, 80) returning 0xdd5880
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.526936 ArgusCalloc
> (1, 1096) returning 0xdd58e0
> 
> <repeats 8 times>
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.527017 ArgusCalloc
> (1, 1096) returning 0xdd7fb0
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.527026 ArgusCalloc
> (1, 1096) returning 0xdd8400
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.527033 ArgusCalloc
> (1, 1096) returning 0xdd8850
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.527044 ArgusCalloc
> (1, 1096) returning 0xdd8ca0
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.527053 ArgusCalloc
> (1, 1096) returning 0xdd90f0
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.527061 ArgusCalloc
> (1, 1096) returning 0xdd9540
> 
> <repeats 5 times>
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.527109 ArgusCalloc
> (1, 1096) returning 0xddaad0
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.527117
> ArgusInitMallocList (1048) returning
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.527124
> ArgusInitModeler(0xd54970) done
> 
> argus[16918.00a73b77637f0000]: 19 Jun 12 23:19:24.527132
> ArgusInitSource(0x7f632eff3010) returning 1
> 
> argus[16918.0027ff2e637f0000]: 19 Jun 12 23:19:24.527192
> ArgusGetPackets (0x7f632eff3010) starting
> 
> argus[16918.0027ff2e637f0000]: 19 Jun 12 23:19:24.527214
> ArgusPushFrontList (0x9d3210, 0x9d31a0, 1) returning 0x421f
> 
> argus[16918.0027ff2e637f0000]: 19 Jun 12 23:19:24.527251
> setArgusInterfaceStatus(0x7f632eff3010, 0)
> 
> argus[16918.0027ff2e637f0000]: 19 Jun 12 23:19:24.527263
> ArgusGetPackets: no interfaces up: sleeping
> 
> argus[16918.00e7df2f637f0000]: 19 Jun 12 23:19:24.620843
> ArgusOutputProcess() checking out clients
> 
> argus[16918.00e7df2f637f0000]: 19 Jun 12 23:19:24.620855
> ArgusOutputProcess() done with clients
> 
> argus[16918.00e7df2f637f0000]: 19 Jun 12 23:19:24.620863
> ArgusOutputProcess() looping
> 
> argus[16918.00e7df2f637f0000]: 19 Jun 12 23:19:24.620870
> ArgusOutputProcess() waiting for input list
> 
> argus[16918.0027ff2e637f0000]: 19 Jun 12 23:19:24.677372
> ArgusOpenInterface() pcap_open_live(nap2) returned 0x7f63280008c0
> 
> argus[16918.0027ff2e637f0000]: 19 Jun 12 23:19:24.679516
> Arguslookup_pcap_callback(1) returning 0x4170e5
> 
> argus[16918.0027ff2e637f0000]: 19 Jun 12 23:19:24.679528
> ArgusOpenInterface(0x7f632eff3010, 'nap2') returning 1
> 
> argus[16918.0027ff2e637f0000]: 19 Jun 12 23:19:24.679538
> ArgusPushFrontList (0x9d3210, 0x9d31a0, 1) returning 0x421f
> 
> argus[16918.0027ff2e637f0000]: 19 Jun 12 23:19:24.679550
> ArgusGetPackets: no interfaces up: sleeping
> 
> argus[16918.00e7df2f637f0000]: 19 Jun 12 23:19:24.720932
> ArgusOutputProcess() checking out clients
> 
> argus[16918.00e7df2f637f0000]: 19 Jun 12 23:19:24.720942
> ArgusOutputProcess() done with clients
> 
> argus[16918.00e7df2f637f0000]: 19 Jun 12 23:19:24.720950
> ArgusOutputProcess() looping
> 
> <snip>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120620/c21c6920/attachment.bin>


More information about the argus mailing list