Multi-Instanced Argus
Carter Bullard
carter at qosient.com
Wed Apr 2 06:45:14 EDT 2014
Hey Jeffrey,
Embedded in your debug list is the statement:
Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
02:13:45.757200 ArgusGetPackets: interface dna0 is selectable
and I suspect that it is not. Just curious, do you have this line
in your argus ./include/argus_config.h file ??
#define HAVE_PCAP_GET_SELECTABLE_FD 1
To get past this in the short term, just hard code the selectable
status variable in the routine ArgusGetPackets on line 3754. Here
is a diff:
diff ArgusSource.c ArgusSource.c.new
3756c3756
< int notselectable = 0;
---
> int notselectable = 1;
And lets see how that goes.
Carter
On Apr 1, 2014, at 3:38 PM, Reynolds, Jeffrey <JReynolds at utdallas.edu> wrote:
> Carter,
>
> Not sure if you got my other message but I’ll send it here as well. I
> looked at the log info and I found the following out:
>
> From STDOUT / STDERR:
>
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.708823 ArgusCalloc (1,
> 525016) returning 0x7f1ddfd42010
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709007 ArgusNewModeler()
> returning 0x7f1ddfd42010
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709036 ArgusCalloc (1,
> 4237776) returning 0x7f1dde6f4010
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709055
> ArgusNewSource(0x7f1ddfd42010) returning 0x7f1dde6f4010
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709073 ArgusCalloc (1,
> 336) returning 0x15340f0
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709087 ArgusCalloc (1,
> 152) returning 0x1534b60
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709098 ArgusNewQueue ()
> returning 0x1534b60
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709110 ArgusCalloc (1,
> 152) returning 0x1534c00
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709121 ArgusNewList ()
> returning 0x1534c00
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709131 ArgusCalloc (1,
> 152) returning 0x1534ca0
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709141 ArgusNewList ()
> returning 0x1534ca0
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709150 ArgusNewOutput()
> returning retn 0x15340f0
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709171
> setArgusMarReportInterval(60) returning
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709252
> clearArgusDevice(0x7f1dde6f4010) returning
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709270 ArgusCalloc (1,
> 152) returning 0x1534f80
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709284 ArgusNewList ()
> returning 0x1534f80
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709303 ArgusCalloc (1,
> 64) returning 0x1535020
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709317 ArgusPushFrontList
> (0x1534f80, 0x1535020, 1) returning 0xa20
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709331
> setArgusDevice(dna0) returning
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709345 ArgusDeleteList
> ((nil), 2) returning
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709356 ArgusCalloc (1,
> 152) returning 0x1535090
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709366 ArgusNewList ()
> returning 0x1535090
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709376 ArgusCalloc (1,
> 24) returning 0x1534250
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709386 ArgusPushFrontList
> (0x1535090, 0x1534250, 1) returning 0xa20
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709403
> setArgusMarReportInterval(60) returning
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709440
> ArgusParseResourceFile (/etc/argus.conf) returning
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709469 ArgusFree
> (0x1535020)
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709480
> clearArgusDevice(0x7f1dde6f4010) returning
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709493 ArgusCalloc (1,
> 64) returning 0x1535020
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709503 ArgusPushFrontList
> (0x1534f80, 0x1535020, 1) returning 0xa20
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709514
> setArgusDevice(dna0 ) returning
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709526 ArgusDeleteList
> (0x1535090, 2) 1 items on list
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709537 ArgusFree
> (0x1534250)
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709549 ArgusFree
> (0x1535090)
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709559 ArgusDeleteList
> (0x1535090, 2) returning
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709569 ArgusCalloc (1,
> 152) returning 0x1535090
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709579 ArgusNewList ()
> returning 0x1535090
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709588 ArgusCalloc (1,
> 24) returning 0x1534250
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709598 ArgusPushFrontList
> (0x1535090, 0x1534250, 1) returning 0xa20
> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709609
> setArgusInterfaceStatus(0x7f1dde6f4010, 1)
>
>
>
> Here is output from /var/log/messages:
>
> Mar 31 02:13:45 argus argus[2593]: 31 Mar 14 02:13:45.709952 started
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.710271 ArgusCalloc (1, 592056) returning 0x7f1ddfcb1010
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.725031 ArgusCalloc (1, 128) returning 0x15de1d0
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.725074 getArgusID(0x7f1dde6f4010) done
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.725094 getArgusIDType(0x7f1dde6f4010) done
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.725113 ArgusGenerateInitialMar() returning
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.725132 ArgusCalloc (1, 168) returning 0x15de260
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.725447 ArgusCalloc (1, 262256) returning 0x7f1ddfc70010
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.725472 ArgusCalloc (1, 152) returning 0x15de310
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.725489 ArgusNewList () returning 0x15de310
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.725506 ArgusNewSocket (4) returning 0x7f1ddfc70010
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.725548 ArgusPushBackList (0x1535090, 0x1534250, 1) returning 1
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.725567 ArgusDeleteList (0x1535090, 2) 1 items on list
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.725581 ArgusFree (0x1534250)
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.725597 ArgusFree (0x1535090)
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.725610 ArgusDeleteList (0x1535090, 2) returning
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.725714 ArgusInitOutput() done
> Mar 31 02:13:45 argus argus[2593]: 31 Mar 14 02:13:45.725789 started
> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:45.725794 ArgusOutputProcess(0x15340f0) starting
> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:45.725923 ArgusOutputProcess() looping
> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:45.725941 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.725807 ArgusCreatePIDFile(/var/run, argus) pidpath is /var/run
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.726043 ArgusPushFrontList (0x1534f80, 0x1535020, 1) returning
> 0xa21
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.726063 getArgusDevice(0x7f1dde6f4010) returning dna0
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.726606 ArgusCreatePIDFile(/var/run, argus) returning
> /var/run/argus.dna0.0.pid
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.726651 ArgusCalloc (1, 4237776) returning 0x7f1ddd6da010
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.726670 ArgusCalloc (1, 152) returning 0x1535090
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.726684 ArgusNewList () returning 0x1535090
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.726704 ArgusCloneSource(0x7f1dde6f4010) returning 0x7f1ddd6da010
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.726733 clearArgusDevice(0x7f1ddd6da010) returning
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.726757 ArgusPushBackList (0x1535090, 0x1535020, 1) returning 1
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.747151 ArgusOpenInterface() pcap_open_live(dna0) returned
> 0x15de4f0
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.754761 Arguslookup_pcap_callback(1) returning 0x412896
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.754790 ArgusOpenInterface(0x7f1ddd6da010, 'dna0') returning 1
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.754807 ArgusPushBackList (0x1535090, 0x1535020, 1) returning 1
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.754945 ArgusCalloc (1, 525016) returning 0x7f1ddd3bd010
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.755740 ArgusCalloc (1, 64) returning 0x15e1800
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.755778 ArgusCalloc (65536, 8) returning 0x7f1ddd33c010
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.755793 ArgusNewHashTable (65536) returning 0x15e1800
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.755807 ArgusCalloc (1, 104) returning 0x15e1850
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.755820 ArgusCalloc (1, 152) returning 0x15e18c0
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.755834 ArgusNewQueue () returning 0x15e18c0
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.755847 ArgusCalloc (1, 152) returning 0x15e1960
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.755859 ArgusNewQueue () returning 0x15e1960
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.755871 ArgusCalloc (1, 112) returning 0x15e1a00
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.755934 ArgusCalloc (1, 40) returning 0x15e1a80
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.755958 ArgusCalloc (1, 80) returning 0x15e1ab0
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.755982 ArgusCalloc (1, 1096) returning 0x15e1b10
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756011 ArgusCalloc (1, 1096) returning 0x15e1f60
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756038 ArgusCalloc (1, 1096) returning 0x15e23b0
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756066 ArgusCalloc (1, 1096) returning 0x15e2800
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756094 ArgusCalloc (1, 1096) returning 0x15e2c50
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756113 ArgusCalloc (1, 1096) returning 0x15e30a0
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756126 ArgusCalloc (1, 1096) returning 0x15e34f0
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756146 ArgusCalloc (1, 1096) returning 0x15e3940
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756167 ArgusCalloc (1, 1096) returning 0x15e3d90
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756195 ArgusCalloc (1, 1096) returning 0x15e41e0
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756219 ArgusCalloc (1, 1096) returning 0x15e4630
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756243 ArgusCalloc (1, 1096) returning 0x15e4a80
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756276 ArgusCalloc (1, 1096) returning 0x15e4ed0
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756301 ArgusCalloc (1, 1096) returning 0x15e5320
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756319 ArgusCalloc (1, 1096) returning 0x15e5770
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756334 ArgusCalloc (1, 1096) returning 0x15e5bc0
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756358 ArgusCalloc (1, 1096) returning 0x15e6010
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756384 ArgusCalloc (1, 1096) returning 0x15e6460
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756412 ArgusCalloc (1, 1096) returning 0x15e68b0
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756427 ArgusCalloc (1, 1096) returning 0x15e6d00
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756447 ArgusInitMallocList (1048) returning
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756469 ArgusInitModeler(0x7f1ddd3bd010) done
> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar 14
> 02:13:45.756501 ArgusInitSource(0x7f1ddd6da010) returning 1
> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:45.756655 ArgusGetPackets (0x7f1ddd6da010) starting
> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:45.756747 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
> 0xa23
> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:45.756810 setArgusInterfaceStatus(0x7f1ddd6da010, 1)
> Mar 31 02:13:45 argus argus[2593]: 31 Mar 14 02:13:45.756854
> ArgusGetInterfaceStatus: interface dna0 is up
> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:45.757200 ArgusGetPackets: interface dna0 is selectable
> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:45.757233 setArgusInterfaceStatus(0x7f1ddd6da010, 1)
> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:45.826041 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:45.826082 ArgusOutputProcess() checking out clients
> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:45.826097 ArgusOutputProcess() done with clients
> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:45.826110 ArgusOutputProcess() looping
> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:45.826122 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:45.926225 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:45.926264 ArgusOutputProcess() checking out clients
> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:45.926279 ArgusOutputProcess() done with clients
> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:45.926292 ArgusOutputProcess() looping
> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:45.926305 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:45.957631 ArgusUpdateTime (0x7f1ddd3bd010) global time
> 1396250025.957628 update 1396250026.157628 returning 1
> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:45.957676 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
> 0xa23
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.026405 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.026445 ArgusOutputProcess() checking out clients
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.026460 ArgusOutputProcess() done with clients
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.026472 ArgusOutputProcess() looping
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.026485 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.126605 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.126644 ArgusOutputProcess() checking out clients
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.126659 ArgusOutputProcess() done with clients
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.126671 ArgusOutputProcess() looping
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.126684 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:46.158386 ArgusUpdateTime (0x7f1ddd3bd010) global time
> 1396250026.158385 update 1396250026.357628 returning 1
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:46.158427 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
> 0xa23
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.226786 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.226825 ArgusOutputProcess() checking out clients
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.226843 ArgusOutputProcess() done with clients
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.226862 ArgusOutputProcess() looping
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.226896 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.327003 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.327042 ArgusOutputProcess() checking out clients
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.327056 ArgusOutputProcess() done with clients
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.327069 ArgusOutputProcess() looping
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.327081 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:46.359104 ArgusUpdateTime (0x7f1ddd3bd010) global time
> 1396250026.359103 update 1396250026.557628 returning 1
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:46.359145 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
> 0xa23
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.427189 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.427229 ArgusOutputProcess() checking out clients
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.427243 ArgusOutputProcess() done with clients
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.427256 ArgusOutputProcess() looping
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.427268 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.527381 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.527420 ArgusOutputProcess() checking out clients
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.527434 ArgusOutputProcess() done with clients
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.527447 ArgusOutputProcess() looping
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.527459 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:46.559826 ArgusUpdateTime (0x7f1ddd3bd010) global time
> 1396250026.559825 update 1396250026.757628 returning 1
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:46.559880 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
> 0xa23
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.627571 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.627610 ArgusOutputProcess() checking out clients
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.627625 ArgusOutputProcess() done with clients
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.627638 ArgusOutputProcess() looping
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.627652 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.727765 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.727804 ArgusOutputProcess() checking out clients
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.727819 ArgusOutputProcess() done with clients
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.727836 ArgusOutputProcess() looping
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.727849 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:46.760559 ArgusUpdateTime (0x7f1ddd3bd010) global time
> 1396250026.760557 update 1396250026.957628 returning 1
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:46.760600 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
> 0xa23
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.827946 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.827985 ArgusOutputProcess() checking out clients
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.828000 ArgusOutputProcess() done with clients
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.828013 ArgusOutputProcess() looping
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.828026 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.928138 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.928177 ArgusOutputProcess() checking out clients
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.928192 ArgusOutputProcess() done with clients
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.928205 ArgusOutputProcess() looping
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:46.928217 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:46.961354 ArgusUpdateTime (0x7f1ddd3bd010) global time
> 1396250026.961353 update 1396250027.157628 returning 1
> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:46.961398 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
> 0xa23
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.028316 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.028355 ArgusOutputProcess() checking out clients
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.028370 ArgusOutputProcess() done with clients
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.028383 ArgusOutputProcess() looping
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.028395 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.128499 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.128538 ArgusOutputProcess() checking out clients
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.128553 ArgusOutputProcess() done with clients
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.128568 ArgusOutputProcess() looping
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.128580 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:47.162074 ArgusUpdateTime (0x7f1ddd3bd010) global time
> 1396250027.162073 update 1396250027.357628 returning 1
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:47.162115 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
> 0xa23
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.228679 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.228718 ArgusOutputProcess() checking out clients
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.228737 ArgusOutputProcess() done with clients
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.228750 ArgusOutputProcess() looping
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.228762 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.328888 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.328927 ArgusOutputProcess() checking out clients
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.328942 ArgusOutputProcess() done with clients
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.328955 ArgusOutputProcess() looping
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.328968 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:47.362797 ArgusUpdateTime (0x7f1ddd3bd010) global time
> 1396250027.362795 update 1396250027.557628 returning 1
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:47.362837 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
> 0xa23
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.429068 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.429107 ArgusOutputProcess() checking out clients
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.429122 ArgusOutputProcess() done with clients
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.429135 ArgusOutputProcess() looping
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.429147 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.529254 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.529293 ArgusOutputProcess() checking out clients
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.529307 ArgusOutputProcess() done with clients
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.529320 ArgusOutputProcess() looping
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.529333 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:47.563527 ArgusUpdateTime (0x7f1ddd3bd010) global time
> 1396250027.563526 update 1396250027.757628 returning 1
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:47.563569 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
> 0xa23
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.629436 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.629475 ArgusOutputProcess() checking out clients
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.629489 ArgusOutputProcess() done with clients
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.629502 ArgusOutputProcess() looping
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.629515 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.729622 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.729662 ArgusOutputProcess() checking out clients
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.729676 ArgusOutputProcess() done with clients
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.729689 ArgusOutputProcess() looping
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.729702 ArgusOutputProcess() waiting for input list
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:47.764263 ArgusUpdateTime (0x7f1ddd3bd010) global time
> 1396250027.764262 update 1396250027.957628 returning 1
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
> 02:13:47.764304 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
> 0xa23
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.829810 ArgusOutputStatusTime(0x15340f0) done
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.829849 ArgusOutputProcess() checking out clients
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.829863 ArgusOutputProcess() done with clients
> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar 14
> 02:13:47.829890 ArgusOutputProcess() looping
> Mar 31 02:13:47 argus rsyslogd-2177: imuxsock begins to drop messages from
> pid 2593 due to rate-limiting
> Mar 31 02:13:51 argus rsyslogd-2177: imuxsock lost 188 messages from pid
> 2593 due to rate-limiting
>
>
>
> Then everything after “ArgusGetPackets: interface dna0 is selectable"
> repeats over and over again.
>
> Not sure if this confirms or refutes your previous statement.
>
> -Jeff
>
> On 3/30/14, 12:14 PM, "Carter Bullard" <carter at qosient.com> wrote:
>
>> Jeffrey,
>> Did you create the .debug file in the argus home directory ?? This turns
>> on
>> debug information generation. If you didn’t do this then:
>>
>> % touch .debug
>> % ./configure;make clean;make
>>
>> Seems like a lot of ARGUS_CAPTURE_DATA_LEN ?? I would recommend
>> something like 128, or 256 ???
>>
>> I suspect that the PF_RING stuff doesn’t work with select(), and we’re
>> sitting
>> on a select() waiting to be notified that a packet is available to read.
>> Your
>> debug information should tell us if it thinks the interface is selectable
>> or not.
>>
>> Carter
>>
>> On Mar 30, 2014, at 12:45 PM, Reynolds, Jeffrey <JReynolds at utdallas.edu>
>> wrote:
>>
>>> Ok, I’ve recompiled 3.0.7.5 from unmodified source. I’m running with
>>> the
>>> following config file options:
>>>
>>> ARGUS_FLOW_TYPE="Bidirectional"
>>> ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
>>> ARGUS_DAEMON=yes
>>> ARGUS_INTERFACE=dna0
>>> ARGUS_OUTPUT_FILE=/var/data/argus-out
>>> ARGUS_SET_PID=yes
>>> ARGUS_PID_PATH="/var/run"
>>> ARGUS_FLOW_STATUS_INTERVAL=5
>>> ARGUS_MAR_STATUS_INTERVAL=60
>>> ARGUS_DEBUG_LEVEL=8
>>> ARGUS_GENERATE_RESPONSE_TIME_DATA=yes
>>> ARGUS_GENERATE_MAC_DATA=yes
>>> ARGUS_CAPTURE_DATA_LEN=1500
>>>
>>>
>>> After running:
>>>
>>> argus -F argus.conf
>>>
>>> I’m still getting 128 byte argus-out files, but I’m not seeing any debug
>>> information. However, /var/log/messages now shows the interface coming
>>> up
>>> more in line with the what I’d expect:
>>>
>>> Mar 30 05:21:29 argus argus[31395]: 30 Mar 14 05:21:29.114830 started
>>> Mar 30 05:21:29 argus argus[31395]: 30 Mar 14 05:21:29.130717 started
>>> Mar 30 05:21:29 argus argus[31395]: 30 Mar 14 05:21:29.156439
>>> ArgusGetInterfaceStatus: interface dna0 is up
>>> Mar 30 05:21:46 argus argus[31395]: 30 Mar 14 05:21:46.418902 stopped
>>>
>>>
>>> I checked ifconfig, and it claims that dna0 is running in PROMISC mode.
>>> It’s strange that I’m not seeing any debug info at the command line of
>>> in
>>> /var/log/messages. I’ve tried specifying it in the config file and at
>>> the
>>> command line, but I haven’t sen any additional output. Perhaps I didn’t
>>> have one of the dependencies installed when I ran the configure script,
>>> and something isn’t working properly? Also, I see that libpcap can be
>>> recompiled with PF_Ring support. Maybe I’ve missed something obvious
>>> here, but as Argus seems to depend on libpcap, do I need to recompile it
>>> with PF_Ring capabilities?
>>>
>>> -Jeff
>>>
>>> On 3/29/14, 10:00 AM, "Carter Bullard" <carter at qosient.com> wrote:
>>>
>>>> Hey Jeffery,
>>>> Sorry for the delayed response... and thanks Craig for taking the
>>>> thread
>>>> !!! The 128 byte records are management records, which are basically
>>>> keep alive like status messages for down stream readers of data. They
>>>> indicate that the sensor is alive.
>>>>
>>>> But you definately aren't getting any packets from the interfaces.
>>>> You
>>>> shouldn't need to modify the source for this to work. I'm pretty sure
>>>> Craig doesn't modify his. So with a standard release, run argus the
>>>> way
>>>> you think you should with the -D8 option, so we can see what is up for
>>>> 5-10 seconds or so, and send the output to the list.
>>>>
>>>> We should see a statement that the interface is up. We need to get
>>>> that
>>>> far before we'll try to read packets.
>>>>
>>>> Carter
>>>>
>>>>
>>>>> On Mar 28, 2014, at 3:42 PM, "Reynolds, Jeffrey"
>>>>> <JReynolds at utdallas.edu> wrote:
>>>>>
>>>>> Ok, I¹m almost sure there are issues with Argus and the code I¹ve
>>>>> modified. To rehash, I¹ve changed line grabbed argus-3.0.7.5 and I¹ve
>>>>> chagned the following line in argus/ArgusSource.c
>>>>>
>>>>> 4331
>>>>>
>>>>> - if ((strstr(device->name, "dag")) || (strstr(device->name,
>>>>> "napa"))) {
>>>>>
>>>>> + if (strstr(device->name, "dag") || strstr(device->name, "nap") ||
>>>>> strstr(device->name, "dna") || (strstr(device->name, "eth") &&
>>>>> strstr(device->name, "@"))) {
>>>>>
>>>>> I¹ve also tried:
>>>>>
>>>>> + if ((strstr(device->name, "dag")) || (strstr(device->name, "nap"))
>>>>> ||
>>>>> (strstr(device->name, "dna")) || (strstr(device->name, "eth") &&
>>>>> strstr(device->name, "@"))) {
>>>>>
>>>>>
>>>>> As I wasn¹t sure if the paren the strstr statements had to be enclosed
>>>>> in
>>>>> their own set of parens. Anyway, in both instances, I¹ll try to run
>>>>> Argus
>>>>> and wind up with a 128 byte file. For example:
>>>>>
>>>>> $ argus -i dna0 -w /var/data/argus-out -s 1500
>>>>> (wait about 20 seconds)
>>>>> $ ls -l /var/data
>>>>> -rw-r--r--. 1 argus argus 128 Mar 28 07:46 argus-out
>>>>>
>>>>> When I run with the vanilla drivers, and my interface is not ³dna0²
>>>>> but
>>>>> ³em1², then I get better results.
>>>>>
>>>>> # rmmod ixgbe
>>>>> # modprobe ixgbe #pulling from /lib/modules/`uname -r`
>>>>>
>>>>> $ rm argus-out
>>>>> rm: remove regular file `argus-out'? y
>>>>> $ argus -i em1 -w /var/data/argus-out -s 1500
>>>>> (wait about 20 seconds)
>>>>> $ ls -l /var/data
>>>>> -rw-r--r--. 1 argus argus 2392260 Mar 28 07:46 argus-out
>>>>>
>>>>>
>>>>> The real kicker seems to be in /var/log/messages. When running argus
>>>>> on
>>>>> em1 with the original ixgbe driver, I get the following output in
>>>>> /var/log/messages:
>>>>>
>>>>>
>>>>> Mar 28 05:14:52 argus argus[23142]: 28 Mar 14 05:14:52.865660 started
>>>>> Mar 28 05:14:52 argus argus[23142]: 28 Mar 14 05:14:52.882755 started
>>>>> Mar 28 05:14:52 argus kernel: device em1 entered promiscuous mode
>>>>> Mar 28 05:14:52 argus argus[23142]: 28 Mar 14 05:14:52.932220
>>>>> ArgusGetInterfaceStatus: interface em1 is up
>>>>> Mar 28 05:15:18 argus argus[23142]: 28 Mar 14 05:15:18.812342 stopped
>>>>>
>>>>>
>>>>> However, when running with the DNA driver, the output is as follows:
>>>>>
>>>>> Mar 28 08:33:16 argus argus[23915]: 28 Mar 14 08:33:16.967530 started
>>>>> Mar 28 08:33:16 argus argus[23915]: 28 Mar 14 08:33:16.985055 started
>>>>> Mar 28 08:33:50 argus argus[23915]: 28 Mar 14 08:33:50.667199 stopped
>>>>>
>>>>>
>>>>> Now the interface is in promiscuous mode, I can see the change in
>>>>> received
>>>>> packets rising considerably by just running ifconfig a few times. I
>>>>> think
>>>>> that for whatever reason, the function in Argus that outputs the
>>>>> ³ArgusGetInterfaceStatus² line isn¹t correctly interpreting dna0 as an
>>>>> appropriate interface.
>>>>>
>>>>> Does any of this sound remotely possible?
>>>>>
>>>>> -Jeff
>>>>>
>>>>>
>>>>>
>>>>>> On 3/27/14, 7:23 PM, "Craig Merchant" <cmerchant at responsys.com>
>>>>>> wrote:
>>>>>>
>>>>>> Hey, Jeffrey...
>>>>>>
>>>>>> The configuration questions for the pf_ring and ixgbe drivers may be
>>>>>> better answered on the ntop forums... But I'll do my best. Here is
>>>>>> how
>>>>>> I load the drivers:
>>>>>>
>>>>>> insmod /lib/modules/2.6.32-220.el6.x86_64/updates/pf_ring.ko
>>>>>> /sbin/modprobe ixgbe MQ=0,0 RSS=1,1 num_rx_slots=32768
>>>>>>
>>>>>> ifconfig dna0 up promisc
>>>>>> ethtool -K dna0 tso off
>>>>>> ethtool -K dna0 gro off
>>>>>> ethtool -K dna0 lro off
>>>>>> ethtool -K dna0 gso off
>>>>>> ethtool -G dna0 tx 32768
>>>>>> ethtool -G dna0 rx 32768
>>>>>>
>>>>>> One thing I'm not clear on from your config is why you are using
>>>>>> pfdnacluster_master at all... That daemon is designed to split up
>>>>>> flows
>>>>>> and/or make copies of them to distribute to other applications. I
>>>>>> don't
>>>>>> think it's meant to aggregate two interfaces into one stream.
>>>>>> Normally
>>>>>> it's run with a -n parameter to tell it how many queues you want
>>>>>> traffic
>>>>>> divided up into. We use:
>>>>>>
>>>>>> pfdnacluster_master -d -c 10 -n 28,1 -m 0 -i dna0
>>>>>>
>>>>>> In this case, -n says "divide up one copy of the traffic into 28
>>>>>> queues"
>>>>>> and "create one copy of all the traffic on the last queue". The apps
>>>>>> accessing the first 28 queues (Snort) would connect to
>>>>>> dnacluster:10 at 0
>>>>>> -
>>>>>> dnacluster:10 at 27. Argus connects to dnacluster:10 at 28 and would see
>>>>>> a
>>>>>> copy of all of the traffic.
>>>>>>
>>>>>> If all you are looking to do is combine traffic from two interfaces
>>>>>> into
>>>>>> one, why not just run argus with -i dna0,dna1?
>>>>>>
>>>>>> For testing, I would try the following to see where you might be
>>>>>> having
>>>>>> problems:
>>>>>>
>>>>>> pfcount -i dna0
>>>>>> pfcount -i dna1
>>>>>> pfcount -i dna0,dna1
>>>>>> pfcount -i dnacluster:10
>>>>>> pfcount -i dnacluster:10 at 0
>>>>>>
>>>>>> Let me know if that helps...
>>>>>>
>>>>>> Craig
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Reynolds, Jeffrey [mailto:JReynolds at utdallas.edu]
>>>>>> Sent: Thursday, March 27, 2014 3:18 PM
>>>>>> To: Craig Merchant; Carter Bullard
>>>>>> Cc: Argus
>>>>>> Subject: Re: [ARGUS] Multi-Instanced Argus
>>>>>>
>>>>>> So I understand this is from a while ago, but here is what I have.
>>>>>> Craig, maybe you can show me how I'm doing it wrong.
>>>>>>
>>>>>> I finally got PF_Ring and libzero licensed correctly so that
>>>>>> pfdnacluster
>>>>>> isn't limited to 5 minutes of capture. I downloaded the Argus
>>>>>> source,
>>>>>> installed the dependencies, and compiled after making the change you
>>>>>> noted below. However, I don't seem to be properly attaching argus to
>>>>>> my
>>>>>> devices to allow it to capture. I have a feeling its something to do
>>>>>> with my PF_Ring or dna-ixgbe conf files. We have two interfaces to
>>>>>> monitor, which I've previously combined into one by using
>>>>>> pfdnacluster_master. However, it looks like I can't get Argus to
>>>>>> hook
>>>>>> into that or a single dan interface. Anyway, after make installing,
>>>>>> I
>>>>>> run the following command with the following result:
>>>>>>
>>>>>> #pfdnacluster_master -i dna0,dna1 -c 10
>>>>>> #argus -i dnacluster:10 -s 1500 -w /var/data/argus-out
>>>>>>
>>>>>> My /var/log/messages says that the specified interface doesn't exist,
>>>>>> which I kind of expected.
>>>>>> So I tried this (without pfdnacluster running):
>>>>>>
>>>>>> #argus -i dna0 -s 1500 -w /var/data/argus-out
>>>>>>
>>>>>> This time argus appears to have started, but my output file is not
>>>>>> growing (it initial starts at 128 bytes and increases by that same
>>>>>> amount
>>>>>> every 30 seconds or so).
>>>>>>
>>>>>> In case this happens to be the parameters I'm loading with my kernel
>>>>>> modules, here they are:
>>>>>>
>>>>>> pf_ring.ko transparenet_mode=2
>>>>>> (I've also tried 0, with similar results) ixgbe.ko RSS=1,1,1,1 (I
>>>>>> wasn't
>>>>>> seeing all of the traffic from my interfaces with the default config,
>>>>>> the
>>>>>> ntop folks recommended this, I need to dig further into the docs to
>>>>>> learn
>>>>>> more about these parameters).
>>>>>>
>>>>>> To answer your original question, I'm only monitoring about ~2Gbps,
>>>>>> significantly less then you are. I'm not sure if what I've noticed
>>>>>> would
>>>>>> be considered "gaps", but we do see exchanges where the server
>>>>>> appears
>>>>>> to
>>>>>> initiate conversations by sending a response to a client, which the
>>>>>> client doesn't appear to have requested. I'm guess the missing
>>>>>> request
>>>>>> was most likely a packet that didn't get captured.
>>>>>>
>>>>>> Any configuration suggestions would be much appreciated.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Jeff
>>>>>>
>>>>>>
>>>>>> From: Craig Merchant
>>>>>> <cmerchant at responsys.com<mailto:cmerchant at responsys.com>>
>>>>>> Date: Wednesday, March 12, 2014 at 6:39 PM
>>>>>> To: Carter Bullard <carter at qosient.com<mailto:carter at qosient.com>>,
>>>>>> Jeff
>>>>>> Reynolds <jjr140030 at utdallas.edu<mailto:jjr140030 at utdallas.edu>>
>>>>>> Cc: Argus
>>>>>>
>>>>>>
>>>>>> <argus-info at lists.andrew.cmu.edu<mailto:argus-info at lists.andrew.cmu.ed
>>>>>> u>
>>>>>>>
>>>>>> Subject: RE: [ARGUS] Multi-Instanced Argus
>>>>>>
>>>>>> We're running Argus and Snort of PF_RING's DNA/Libzero drivers. We
>>>>>> decided to use Libzero because the standard DNA drivers limit the
>>>>>> number
>>>>>> of memory "queues" containing network traffic to 16. Each queue can
>>>>>> only
>>>>>> be accessed by a single process and our sensors have 32 cores, so we
>>>>>> wouldn't be able to run the maximum number of Snort instances without
>>>>>> it.
>>>>>>
>>>>>> We use the pfdnaclustermaster app to spread flows across 28 queues
>>>>>> for
>>>>>> snort and also maintain a copy of all flows in a queue for Argus.
>>>>>>
>>>>>> To get it to work, all I had to do was make a slight edit to
>>>>>> ArgusSource.c so that Argus would recognize DNA/Libzero queues as a
>>>>>> valid
>>>>>> interface.
>>>>>>
>>>>>> Somewhere around line 4191 (for argus 3.0.7):
>>>>>>
>>>>>>
>>>>>> - if ((strstr(device->name, "dag")) || (strstr(device->name,
>>>>>> "napa"))) {
>>>>>>
>>>>>> + if (strstr(device->name, "dag") || strstr(device->name, "nap") ||
>>>>>> + strstr(device->name, "dna") || (strstr(device->name, "eth") &&
>>>>>> + strstr(device->name, "@"))) {
>>>>>>
>>>>>> Our data centers do around 4-8 Gbps 24/7. From what I recall, there
>>>>>> is
>>>>>> (or was) a bug in PF_RING that caused Argus to run at 100% all of the
>>>>>> time, but in my experience Argus wasn't having problems keeping up
>>>>>> with
>>>>>> our volume of data. We did see an unusually high number of flows
>>>>>> that
>>>>>> Argus couldn't determine the direction of, but we weren't seeing gaps
>>>>>> in
>>>>>> the packets or anything else to suggest that Argus couldn't handle
>>>>>> the
>>>>>> volume.
>>>>>>
>>>>>> How much traffic are you sending at Argus? Have you tried searching
>>>>>> your
>>>>>> Argus records for flows that have gaps in them? That would be a
>>>>>> pretty
>>>>>> good indicator that Argus may have trouble keeping up. Or that your
>>>>>> SPAN
>>>>>> port can't handle the load...
>>>>>>
>>>>>> Thx.
>>>>>>
>>>>>> Craig
>>>>>>
>>>>>> From:
>>>>>>
>>>>>>
>>>>>> argus-info-bounces+cmerchant=responsys.com at lists.andrew.cmu.edu<mailto
>>>>>> :a
>>>>>> rg
>>>>>> us-info-bounces+cmerchant=responsys.com at lists.andrew.cmu.edu>
>>>>>>
>>>>>>
>>>>>> [mailto:argus-info-bounces+cmerchant=responsys.com at lists.andrew.cmu.ed
>>>>>> u]
>>>>>> On Behalf Of Carter Bullard
>>>>>> Sent: Wednesday, March 12, 2014 1:57 PM
>>>>>> To: Reynolds, Jeffrey
>>>>>> Cc: Argus
>>>>>> Subject: Re: [ARGUS] Multi-Instanced Argus
>>>>>>
>>>>>> Hey Jeffery,
>>>>>> Good so far. This seem like the link for accelerating snort with
>>>>>> PF_RING DNA ??
>>>>>> http://www.ntop.org/pf_ring/accelerating-snort-with-pf_ring-dna/
>>>>>>
>>>>>> I'm interested in the symmetric RSS and if it works properly.
>>>>>> Are you running the PF_RING DNA DAQ ????
>>>>>>
>>>>>> It would seem that we'll have to modify argus to use this facility
>>>>>> ???
>>>>>>
>>>>>> Carter
>>>>>>
>>>>>> On Mar 12, 2014, at 3:26 PM, Reynolds, Jeffrey
>>>>>> <JReynolds at utdallas.edu<mailto:JReynolds at utdallas.edu>> wrote:
>>>>>>
>>>>>>
>>>>>> First, before we dive into to it too deep, how is the performance ??
>>>>>>
>>>>>> This actually seems like a great place to start. Before getting too
>>>>>> heavy into PF_RING integration, maybe I should offer a bit of
>>>>>> backstory.
>>>>>> Our main goal is just to archive traffic. We have a server running
>>>>>> CentOS 6 that receives traffic from two SPAN ports. The only thing
>>>>>> we
>>>>>> want to accomplish is to maintain a copy of that traffic for some
>>>>>> period
>>>>>> of time. Argus was used because it seemed to be the best tool for
>>>>>> the
>>>>>> price, and it comes with a lot of great features that while we may
>>>>>> not
>>>>>> use now, we may use later (again, for right now all we want is a copy
>>>>>> of
>>>>>> the traffic to be able to perform forensics on).
>>>>>>
>>>>>> Now, I put up a single instance of Argus and pointed it at the
>>>>>> interface
>>>>>> that was the master of our two bonded physical NICs (eth0 and eth1
>>>>>> are
>>>>>> bonded to bond0). I let it run for an hour to get some preliminary
>>>>>> numbers. I ran an recount against my output file and got the
>>>>>> following
>>>>>> stats:
>>>>>>
>>>>>> racount -t 2014y3m12d05h -r argus-out
>>>>>> racount records total_pkts src_pkts dst_pkts total_bytes src_bytes
>>>>>> dst_bytes sum 14236180 187526800 98831765 88695035 212079839908
>>>>>> 102889789820 109190050088
>>>>>>
>>>>>> However, the switch the switch sending that traffic reported that it
>>>>>> had
>>>>>> sent a total of 421,978,297 packets to both interfaces, and a total
>>>>>> of
>>>>>> 371,307,051,815 bytes for that time frame. I could be interpreting
>>>>>> something incorrectly, so maybe the best first thing for me to
>>>>>> confirm
>>>>>> is
>>>>>> that we are in fact losing a lot of traffic. But it seems that a
>>>>>> single
>>>>>> argus instance can't keep up with the traffic. I've seen this happen
>>>>>> with Snort, and our solution was to plug Snort into PF_RING to allow
>>>>>> the
>>>>>> traffic to be intelligently forwarded via the Snort Data Acquisition
>>>>>> Library (DAQ). From the perspective of someone who hasn't had a lot
>>>>>> of
>>>>>> exposure to this level of hardware configuration, it was relatively
>>>>>> easy
>>>>>> to plug the configuration parameters in at the Snort command line to
>>>>>> have
>>>>>> them all point at the same traffic source so that each individual
>>>>>> process
>>>>>> didn't run through the same traffic. My hope was that there might
>>>>>> just
>>>>>> be some parameters to set within the argus.conf file which would tell
>>>>>> each process to pull from a single PF_RING source. However, it looks
>>>>>> like this might not be as easy as I had once thought.
>>>>>>
>>>>>> Am I on the right track or does this make even a little sense?
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Jeff
>>>>>>
>>>>>>
>>>>>>
>>>>>> From: Carter Bullard
>>>>>>
>>>>>>
>>>>>> <carter at qosient.com<mailto:carter at qosient.com><mailto:carter at qosient.c
>>>>>> om
>>>>>>>>
>>>>>> Date: Wednesday, March 12, 2014 at 9:54 AM
>>>>>> To: "Reynolds, Jeffrey"
>>>>>>
>>>>>>
>>>>>> <JReynolds at utdallas.edu<mailto:JReynolds at utdallas.edu><mailto:JReynold
>>>>>> s@
>>>>>> ut
>>>>>> dallas.edu>>
>>>>>> Cc: Argus
>>>>>>
>>>>>>
>>>>>> <argus-info at lists.andrew.cmu.edu<mailto:argus-info at lists.andrew.cmu.ed
>>>>>> u>
>>>>>> <m
>>>>>> ailto:argus-info at lists.andrew.cmu.edu>>
>>>>>> Subject: Re: [ARGUS] Multi-Instanced Argus
>>>>>>
>>>>>> Hey Jeffrey,
>>>>>> I am very interested in this approach, but I have no experience with
>>>>>> this
>>>>>> PF_RING feature, so I'll have to give you the "design response".
>>>>>> Hopefully, we can get this to where its doing exactly what anyone
>>>>>> would
>>>>>> want it to do, and get us a really fast argus, on the cheap.
>>>>>>
>>>>>> First, before we dive into to it too deep, how is the performance ??
>>>>>> Are
>>>>>> you getting bi-directional flows out of this scheme ?? Are you
>>>>>> seeing
>>>>>> all the traffic ??? If so, then congratulations !!! If the
>>>>>> performance
>>>>>> is good, your seeing all the traffic, but you're only getting
>>>>>> uni-directional flows, then we may have some work to do, but still
>>>>>> congratulations !!! If you're not getting all the traffic then we
>>>>>> have
>>>>>> some real work to do, as one of the purposes of argus is to monitor
>>>>>> all
>>>>>> the traffic.
>>>>>>
>>>>>> OK, so my understanding is that the PF_RING can do some packet
>>>>>> routing
>>>>>> to
>>>>>> a non-overlapping set of tap interfaces. Routing is based on some
>>>>>> classification scheme, designed to make this usable. The purpose is
>>>>>> to
>>>>>> provide coarse grain parallelism for packet processing. The idea, as
>>>>>> much as I can tell, is to prevent multiple readers from having to
>>>>>> read
>>>>>> from the same queue; eliminating locking issues, which kills
>>>>>> performance
>>>>>> etc...
>>>>>>
>>>>>> So, I'm not sure what you mean by "pulling from the same queue". If
>>>>>> you
>>>>>> do have multiple argi reading the same packet, you will end up
>>>>>> counting a
>>>>>> single packet multiple times. Not a terrible thing, but not
>>>>>> recommended.
>>>>>> Its not that you're creating multiple observation domains using this
>>>>>> PF_RING technique. You're really splitting a single packet
>>>>>> observation
>>>>>> domain into a multi-sensor facility ... eventually you will want to
>>>>>> combine the total argus output into a single output stream, that
>>>>>> represents the single packet observation domain. At least that is my
>>>>>> thinking, and I would recommend that you use radium to connect to all
>>>>>> of
>>>>>> your argus instances, rather than writing the argus output to a set
>>>>>> of
>>>>>> files. Radium will generate a single argus data output stream,
>>>>>> representing the argus data from the single observation domain.
>>>>>>
>>>>>> The design issue of using the PF_RING function is "how is PF_RING
>>>>>> classifying packets to do the routing?".
>>>>>> We would like for it to send packets that belong to the same
>>>>>> bi-directional flow to the same virtual interface, so argus can do
>>>>>> its
>>>>>> bi-directional thing. PF_RING claims that you can provide your own
>>>>>> classifier logic, which we can do to make this happen. We have a
>>>>>> pretty
>>>>>> fast bidirectional hashing scheme which we can try out.
>>>>>>
>>>>>> We have a number of people that are using netmap instead of PF_RING.
>>>>>> My
>>>>>> understanding is that it also has this same type of feature. If we
>>>>>> can
>>>>>> get some people talking about that, that would help a bit.
>>>>>>
>>>>>> Carter
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mar 12, 2014, at 1:03 AM, Reynolds, Jeffrey
>>>>>>
>>>>>>
>>>>>> <JReynolds at utdallas.edu<mailto:JReynolds at utdallas.edu><mailto:JReynold
>>>>>> s@
>>>>>> ut
>>>>>> dallas.edu>> wrote:
>>>>>>
>>>>>> Howdy All,
>>>>>>
>>>>>> So after forever and a day, I've finally found time to start working
>>>>>> on
>>>>>> my multi-instanced argus configuration. Here is my setup:
>>>>>>
>>>>>> -CentOS 6.5 x64
>>>>>> -pfring driver compiled from source
>>>>>> -pfring capable Intel NICs (currently using the ixgbe driver version
>>>>>> 3.15.1-k) (these NICs are in a bonded configuration under a device
>>>>>> named
>>>>>> bond0)
>>>>>>
>>>>>> I've configured my startup script to start 5 instances of Argus, each
>>>>>> with there own /etc/argusX.conf file (argus1.conf, argus2.conf, etc).
>>>>>> The start up script correctly assigns the proper pid file to each
>>>>>> instance, and everything starts and stops smoothly. Each instance is
>>>>>> writing an output file to /var/argus in the format of argusX.out.
>>>>>> When I
>>>>>> first tried running my argus instances, I ran them with a version of
>>>>>> PF_RING I had installed from an RPM obtained from the ntop repo.
>>>>>> Things
>>>>>> didn't seem to work correctly, so I tried again after I had compiled
>>>>>> from
>>>>>> source. After compiling from source, I got the following output in
>>>>>> /var/log/messages when I started argus:
>>>>>>
>>>>>> Mar 11 17:48:16 argus kernel: No module found in object Mar 11
>>>>>> 17:49:16
>>>>>> argus kernel: [PF_RING] Welcome to PF_RING 5.6.3 ($Revision: 7358$)
>>>>>> Mar
>>>>>> 11 17:49:16 argus kernel: (C) 2004-14
>>>>>> ntop.org<http://ntop.org/><http://ntop.org<http://ntop.org/>>
>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] registered /proc/net/pf_ring/
>>>>>> Mar
>>>>>> 11 17:49:16 argus kernel: NET: Registered protocol family 27 Mar 11
>>>>>> 17:49:16 argus kernel: [PF_RING] Min # ring slots 4096
>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] Slot version 15
>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] Capture TX Yes [RX+TX]
>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] Transparent Mode 0
>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] IP Defragment No
>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] Initialized correctly Mar 11
>>>>>> 17:49:35 argus kernel: Bluetooth: Core ver 2.15 Mar 11 17:49:35 argus
>>>>>> kernel: NET: Registered protocol family 31 Mar 11 17:49:35 argus
>>>>>> kernel:
>>>>>> Bluetooth: HCI device and connection manager initialized Mar 11
>>>>>> 17:49:35
>>>>>> argus kernel: Bluetooth: HCI socket layer initialized Mar 11 17:49:35
>>>>>> argus kernel: Netfilter messages via NETLINK v0.30.
>>>>>> Mar 11 17:49:35 argus argus[13918]: 11 Mar 14 17:49:35.643243 started
>>>>>> Mar
>>>>>> 11 17:49:35 argus argus[13918]: 11 Mar 14 17:49:35.693930 started Mar
>>>>>> 11
>>>>>> 17:49:35 argus kernel: device bond0 entered promiscuous mode Mar 11
>>>>>> 17:49:35 argus kernel: device em1 entered promiscuous mode Mar 11
>>>>>> 17:49:35 argus kernel: device em2 entered promiscuous mode Mar 11
>>>>>> 17:49:35 argus argus[13918]: 11 Mar 14 17:49:35.721490
>>>>>> ArgusGetInterfaceStatus: interface bond0 is up Mar 11 17:49:36 argus
>>>>>> argus[13922]: 11 Mar 14 17:49:36.349202 started Mar 11 17:49:36 argus
>>>>>> argus[13922]: 11 Mar 14 17:49:36.364625 started Mar 11 17:49:36 argus
>>>>>> argus[13922]: 11 Mar 14 17:49:36.383623 ArgusGetInterfaceStatus:
>>>>>> interface bond0 is up Mar 11 17:49:37 argus argus[13926]: 11 Mar 14
>>>>>> 17:49:37.045224 started Mar 11 17:49:37 argus argus[13926]: 11 Mar 14
>>>>>> 17:49:37.060689 started Mar 11 17:49:37 argus argus[13926]: 11 Mar 14
>>>>>> 17:49:37.079706 ArgusGetInterfaceStatus: interface bond0 is up Mar 11
>>>>>> 17:49:37 argus argus[13930]: 11 Mar 14 17:49:37.753278 started Mar 11
>>>>>> 17:49:37 argus argus[13930]: 11 Mar 14 17:49:37.768613 started Mar 11
>>>>>> 17:49:37 argus argus[13930]: 11 Mar 14 17:49:37.785691
>>>>>> ArgusGetInterfaceStatus: interface bond0 is up Mar 11 17:49:38 argus
>>>>>> argus[13934]: 11 Mar 14 17:49:38.449229 started Mar 11 17:49:38 argus
>>>>>> argus[13934]: 11 Mar 14 17:49:38.466365 started Mar 11 17:49:38 argus
>>>>>> argus[13934]: 11 Mar 14 17:49:38.485675 ArgusGetInterfaceStatus:
>>>>>> interface bond0 is up
>>>>>>
>>>>>> Aside from the "No module found in object" error, everything seems
>>>>>> like
>>>>>> its working Ok. The only problem is that I don't seem to have my
>>>>>> argus
>>>>>> instances configured to pull traffic from the same queue. In other
>>>>>> words, I have five output files from five argus instances with like
>>>>>> traffic in all of them. I haven't made any changes to my argus
>>>>>> config
>>>>>> files, aside from telling them to write to different locations and
>>>>>> the
>>>>>> name of the interface. I know I'm missing something but I'm not quite
>>>>>> sure what it is. If someone might be able to tell me how to
>>>>>> configure
>>>>>> these five instances to pull from the same PF_RING queue, I'd be
>>>>>> mighty
>>>>>> obliged. Let me know if I need to submit any additional information.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Jeff Reynolds
>>>>>
>>>>>
>>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140402/6314c347/attachment.bin>
More information about the argus
mailing list