Argus doesn't collect packet data - only session data

Carter Bullard carter at qosient.com
Mon Mar 5 17:29:17 EST 2012 

Hey Paul,
You need to specify the "suser" and/or "duser" fields to print using the command line option "-s +suser +duser"
or add these fields to your .rarc file in the RA_FIELD_SPECIFIER variable definition.
Many options changed in the 3.x releases. Check out the man page, if in doubt.

You may find that the newest code, argus-clients-3.0.5.34 works as well:
   http://qosient.com/argus/dev/argus-clients-latest-tar.gz

Hope this helps,
Carter



On Mar 5, 2012, at 4:55 PM, Paul Schmehl wrote:

> I'm setting up a new server, and I've run into a problem with argus.  No matter what I do, I can't seem to get it to collect user data.  It works fine on the old server.
> 
> This is on FreeBSD 8.2.  Argus was built from ports and is version 3.0.4 without SASL.
> 
> Here's the argus.conf file:
> 
> ARGUS_DAEMON=yes
> ARGUS_INTERFACE="bce1"
> ARGUS_OUTPUT_FILE=/var/data/nsm/argus/argus.log
> ARGUS_SET_PID=yes
> ARGUS_GO_PROMISCUOUS=yes
> ARGUS_GENERATE_RESPONSE_TIME_DATA=yes
> ARGUS_GENERATE_MAC_DATA=yes
> ARGUS_FILTER="ip and not icmp"
> ARGUS_CAPTURE_DATA_LEN=800
> 
> And here's the process running:
> 
> root    94930 18.1  1.1 210416 189484  ??  Rs    8:48PM   0:41.79 /usr/local/sbin/argus -F /usr/local/etc/argus.conf -F /usr/local/etc/argus.conf
> 
> No matter what CAPTURE_DATA_LEN I use, this is what I get in the log:
> 
> 20:53:03.717210  e         udp         10.21.1.49.59178    <-> 74.200.191.77.domain        2        408   CON
>  20:53:03.718211  e         tcp     10.110.143.147.64634    <?> 205.203.132.65.http         13      10133   CON
>  20:53:03.718618  e         tcp     10.160.122.248.55405     -> 69.116.12.102.28550         3        213   CON
>  20:53:03.722132  e         tcp       10.21.21.177.56017     -> 218.6.12.180.http          3        180   RST
>  20:53:03.720056  e         tcp       71.71.229.73.12283     -> 129.110.94.160.http         11       1633   FIN
>  20:53:03.720769  e d       tcp       10.21.17.168.58421     -> 121.11.151.47.http        351     380622   CON
>  20:53:03.721078  e i       tcp       10.40.128.53.55652    <?> 10.110.47.178.ssh         171     108674   CON
> 
> As you can see, no packet data at all.
> 
> I've even tried using -U 800 on the commandline, but same results. Googling didn't help.
> 
> -- 
> Paul Schmehl (pauls at utdallas.edu)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120305/6621113c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120305/6621113c/attachment.bin>

More information about the argus mailing list