Multi-Instanced Argus
Carter Bullard
carter at qosient.com
Mon Apr 14 12:29:41 EDT 2014
Hey Jeff,
So where are we on this problem ???
Its pretty clear that you aren’t getting any packets.
The modification that you tried to the source wasn’t good logic,
with the “&&”, it should be a “||”, of course.
4331
- if ((strstr(device->name, "dag")) || (strstr(device->name, "napa"))) {
+ if (strstr(device->name, "dag") || strstr(device->name, "nap") ||
strstr(device->name, "dna") || (strstr(device->name, "eth") &&
strstr(device->name, "@"))) {
should be
+ if (strstr(device->name, "dag") || strstr(device->name, "nap") ||
strstr(device->name, "dna") || (strstr(device->name, "eth") ||
strstr(device->name, "@"))) {
Still having problems ???
Carter
On Apr 2, 2014, at 10:26 AM, Reynolds, Jeffrey <JReynolds at utdallas.edu> wrote:
> Carter,
>
> Thanks fr your response. The #define line is in
> ./include/argus_config.h, line 192. I made he modification you
> suggested, and still no data is being written. For sanity’s sake, here is
> the change I made:
>
> #Old File
> 3750:#if !defined(CGWIN)
> 3751:#if defined(ARGUS_PLURIBUS)
> 3752:int notselectable = 1;
> 3753:#else
> 3754:in notselectable = 0;
> 3755:#endif
> 3756:#endif
>
>
> #New File
> 3750:#if !defined(CYGWIN)
>
> 371:#if defined(ARGUS_PLURIBUS)
> 3752:int notselectable = 1;
> 3753:#else
> 3754:int notselectable = 1;
> 3755:#endif
> 3756:#endif
>
>
>
> Checking the output in /var/log/messages, it seems the change made dna0
> not electable:
>
> Apr 2 02:42:20 argus argus[5749]: 02 Apr 14 02:42:20.613894
> ArgusGetInterfceStatus: interface dna0 is up
> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr 14
> 02:42:20.614645 ArgusGetPackets: interface dna0 is not selectable
> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 0 Apr 14
> 02:42:20.614675 setArgusInterfaceStatus(0x7f4c095fe010, 1)
> Apr 2 02:42:20 argus agus[5749]: argus[5749.00f725094c7f0000]: 02 Apr 14
> 02:42:20.614829 ArgusUpdateTime (x7f4c092e1010) global time
> 1396424540.614715 update 1396424540.814715 returning 1
> pr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr 14
> 02:42:20.614854 AgusPushFrontList (0xa0f090, 0xa0f020, 1) returning 0x1677
> Apr 2 02:42:20 argus rgus[5749]: argus[5749.00f725094c7f0000]: 02 Apr 14
> 02:42:20.615672 ArgusUpdateTime (0x7f4c092e1010) not time
> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr 14
> 02:42:20.615809 ArgusUpdateTime (0x7f4c092e1010) not time
> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr 14
> 02:42:20.615940 ArgusUpdateTime (0x7f4c092e1010) not time
> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr 14
> 02:42:20.616070 ArgusUpdateTime (0x7f4c092e1010) not time
> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr 14
> 02:42:20.616200 ArgusUpdateTime (0x7f4c092e1010) not time
> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr 14
> 02:42:20.616313 ArgusUpdateTime (0x7f4c092e1010) not time
> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr 14
> 02:42:20.616443 ArgusUpdateTime (0x7f4c092e1010) not time
> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr 14
> 02:42:20.616572 ArgusUpdateTime (0x7f4c092e1010) not time
> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr 14
> 02:42:20.616705 ArgusUpdateTime (0x7f4c092e1010) not time
> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr 14
> 02:42:20.616834 ArgusUpdateTime (0x7f4c092e1010) not time
> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr 14
> 02:42:20.616963 ArgusUpdateTime (0x7f4c092e1010) not time
> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr 14
> 02:42:20.617092 ArgusUpdateTime (0x7f4c092e1010) not time
>
>
> What follows are a ton of the ArgusUpdateTime lines, interspersed with:
>
> Apr 2 02:42:20 argus rsyslogd-2177: imuxsock begins to drop messages from
> pid 5749 due to rate-limiting
> Apr 2 02:42:26 argus rsyslogd-2177: imuxsock lost 43018 messages from pid
> 5749 due to rate-limiting
>
>
> And stuff like:
>
> Apr 2 02:42:32 argus argus[5749]: argus[5749.0097400a4c7f0000]: 02 Apr 14
> 02:42:32.000755 ArgusOutputProcess() checking out clients
> Apr 2 02:42:32 argus argus[5749]: argus[5749.0097400a4c7f0000]: 02 Apr 14
> 02:42:32.000772 ArgusOutputProcess() done with clients
> Apr 2 02:42:32 argus argus[5749]: argus[5749.0097400a4c7f0000]: 02 Apr 14
> 02:42:32.000790 ArgusOutputProcess() looping
> Apr 2 02:42:32 argus argus[5749]: argus[5749.0097400a4c7f0000]: 02 Apr 14
> 02:42:32.000805 ArgusOutputProcess() waiting for input list
>
>
> Or:
>
> Apr 2 02:42:50 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr 14
> 02:42:50.014918 ArgusUpdateTime (0x7f4c092e1010) global time
> 1396424570.014812 update 1396424570.214715 returning 1
> Apr 2 02:42:50 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr 14
> 02:42:50.014938 ArgusPushFrontList (0xa0f090, 0xa0f020, 1) returning 0x1677
>
>
> Let me know if it might be helpful to get the entire log and I can send it
> to you.
>
> Jeff
>
>
>
>
> On 4/2/14, 5:45 AM, "Carter Bullard" <carter at qosient.com> wrote:
>
>> Hey Jeffrey,
>> Embedded in your debug list is the statement:
>>
>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar 14
>> 02:13:45.757200 ArgusGetPackets: interface dna0 is selectable
>>
>> and I suspect that it is not. Just curious, do you have this line
>> in your argus ./include/argus_config.h file ??
>>
>> #define HAVE_PCAP_GET_SELECTABLE_FD 1
>>
>> To get past this in the short term, just hard code the selectable
>> status variable in the routine ArgusGetPackets on line 3754. Here
>> is a diff:
>>
>> diff ArgusSource.c ArgusSource.c.new
>> 3756c3756
>> < int notselectable = 0;
>> ---
>>> int notselectable = 1;
>>
>>
>> And lets see how that goes.
>>
>> Carter
>>
>>
>> On Apr 1, 2014, at 3:38 PM, Reynolds, Jeffrey <JReynolds at utdallas.edu>
>> wrote:
>>
>>> Carter,
>>>
>>> Not sure if you got my other message but I’ll send it here as well. I
>>> looked at the log info and I found the following out:
>>>
>>> From STDOUT / STDERR:
>>>
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.708823 ArgusCalloc (1,
>>> 525016) returning 0x7f1ddfd42010
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709007
>>> ArgusNewModeler()
>>> returning 0x7f1ddfd42010
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709036 ArgusCalloc (1,
>>> 4237776) returning 0x7f1dde6f4010
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709055
>>> ArgusNewSource(0x7f1ddfd42010) returning 0x7f1dde6f4010
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709073 ArgusCalloc (1,
>>> 336) returning 0x15340f0
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709087 ArgusCalloc (1,
>>> 152) returning 0x1534b60
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709098 ArgusNewQueue ()
>>> returning 0x1534b60
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709110 ArgusCalloc (1,
>>> 152) returning 0x1534c00
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709121 ArgusNewList ()
>>> returning 0x1534c00
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709131 ArgusCalloc (1,
>>> 152) returning 0x1534ca0
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709141 ArgusNewList ()
>>> returning 0x1534ca0
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709150 ArgusNewOutput()
>>> returning retn 0x15340f0
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709171
>>> setArgusMarReportInterval(60) returning
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709252
>>> clearArgusDevice(0x7f1dde6f4010) returning
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709270 ArgusCalloc (1,
>>> 152) returning 0x1534f80
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709284 ArgusNewList ()
>>> returning 0x1534f80
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709303 ArgusCalloc (1,
>>> 64) returning 0x1535020
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709317
>>> ArgusPushFrontList
>>> (0x1534f80, 0x1535020, 1) returning 0xa20
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709331
>>> setArgusDevice(dna0) returning
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709345 ArgusDeleteList
>>> ((nil), 2) returning
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709356 ArgusCalloc (1,
>>> 152) returning 0x1535090
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709366 ArgusNewList ()
>>> returning 0x1535090
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709376 ArgusCalloc (1,
>>> 24) returning 0x1534250
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709386
>>> ArgusPushFrontList
>>> (0x1535090, 0x1534250, 1) returning 0xa20
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709403
>>> setArgusMarReportInterval(60) returning
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709440
>>> ArgusParseResourceFile (/etc/argus.conf) returning
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709469 ArgusFree
>>> (0x1535020)
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709480
>>> clearArgusDevice(0x7f1dde6f4010) returning
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709493 ArgusCalloc (1,
>>> 64) returning 0x1535020
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709503
>>> ArgusPushFrontList
>>> (0x1534f80, 0x1535020, 1) returning 0xa20
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709514
>>> setArgusDevice(dna0 ) returning
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709526 ArgusDeleteList
>>> (0x1535090, 2) 1 items on list
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709537 ArgusFree
>>> (0x1534250)
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709549 ArgusFree
>>> (0x1535090)
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709559 ArgusDeleteList
>>> (0x1535090, 2) returning
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709569 ArgusCalloc (1,
>>> 152) returning 0x1535090
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709579 ArgusNewList ()
>>> returning 0x1535090
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709588 ArgusCalloc (1,
>>> 24) returning 0x1534250
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709598
>>> ArgusPushFrontList
>>> (0x1535090, 0x1534250, 1) returning 0xa20
>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709609
>>> setArgusInterfaceStatus(0x7f1dde6f4010, 1)
>>>
>>>
>>>
>>> Here is output from /var/log/messages:
>>>
>>> Mar 31 02:13:45 argus argus[2593]: 31 Mar 14 02:13:45.709952 started
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.710271 ArgusCalloc (1, 592056) returning 0x7f1ddfcb1010
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.725031 ArgusCalloc (1, 128) returning 0x15de1d0
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.725074 getArgusID(0x7f1dde6f4010) done
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.725094 getArgusIDType(0x7f1dde6f4010) done
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.725113 ArgusGenerateInitialMar() returning
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.725132 ArgusCalloc (1, 168) returning 0x15de260
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.725447 ArgusCalloc (1, 262256) returning 0x7f1ddfc70010
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.725472 ArgusCalloc (1, 152) returning 0x15de310
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.725489 ArgusNewList () returning 0x15de310
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.725506 ArgusNewSocket (4) returning 0x7f1ddfc70010
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.725548 ArgusPushBackList (0x1535090, 0x1534250, 1) returning 1
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.725567 ArgusDeleteList (0x1535090, 2) 1 items on list
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.725581 ArgusFree (0x1534250)
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.725597 ArgusFree (0x1535090)
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.725610 ArgusDeleteList (0x1535090, 2) returning
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.725714 ArgusInitOutput() done
>>> Mar 31 02:13:45 argus argus[2593]: 31 Mar 14 02:13:45.725789 started
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.725794 ArgusOutputProcess(0x15340f0) starting
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.725923 ArgusOutputProcess() looping
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.725941 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.725807 ArgusCreatePIDFile(/var/run, argus) pidpath is /var/run
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.726043 ArgusPushFrontList (0x1534f80, 0x1535020, 1) returning
>>> 0xa21
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.726063 getArgusDevice(0x7f1dde6f4010) returning dna0
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.726606 ArgusCreatePIDFile(/var/run, argus) returning
>>> /var/run/argus.dna0.0.pid
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.726651 ArgusCalloc (1, 4237776) returning 0x7f1ddd6da010
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.726670 ArgusCalloc (1, 152) returning 0x1535090
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.726684 ArgusNewList () returning 0x1535090
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.726704 ArgusCloneSource(0x7f1dde6f4010) returning
>>> 0x7f1ddd6da010
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.726733 clearArgusDevice(0x7f1ddd6da010) returning
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.726757 ArgusPushBackList (0x1535090, 0x1535020, 1) returning 1
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.747151 ArgusOpenInterface() pcap_open_live(dna0) returned
>>> 0x15de4f0
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.754761 Arguslookup_pcap_callback(1) returning 0x412896
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.754790 ArgusOpenInterface(0x7f1ddd6da010, 'dna0') returning 1
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.754807 ArgusPushBackList (0x1535090, 0x1535020, 1) returning 1
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.754945 ArgusCalloc (1, 525016) returning 0x7f1ddd3bd010
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.755740 ArgusCalloc (1, 64) returning 0x15e1800
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.755778 ArgusCalloc (65536, 8) returning 0x7f1ddd33c010
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.755793 ArgusNewHashTable (65536) returning 0x15e1800
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.755807 ArgusCalloc (1, 104) returning 0x15e1850
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.755820 ArgusCalloc (1, 152) returning 0x15e18c0
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.755834 ArgusNewQueue () returning 0x15e18c0
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.755847 ArgusCalloc (1, 152) returning 0x15e1960
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.755859 ArgusNewQueue () returning 0x15e1960
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.755871 ArgusCalloc (1, 112) returning 0x15e1a00
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.755934 ArgusCalloc (1, 40) returning 0x15e1a80
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.755958 ArgusCalloc (1, 80) returning 0x15e1ab0
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.755982 ArgusCalloc (1, 1096) returning 0x15e1b10
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756011 ArgusCalloc (1, 1096) returning 0x15e1f60
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756038 ArgusCalloc (1, 1096) returning 0x15e23b0
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756066 ArgusCalloc (1, 1096) returning 0x15e2800
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756094 ArgusCalloc (1, 1096) returning 0x15e2c50
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756113 ArgusCalloc (1, 1096) returning 0x15e30a0
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756126 ArgusCalloc (1, 1096) returning 0x15e34f0
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756146 ArgusCalloc (1, 1096) returning 0x15e3940
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756167 ArgusCalloc (1, 1096) returning 0x15e3d90
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756195 ArgusCalloc (1, 1096) returning 0x15e41e0
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756219 ArgusCalloc (1, 1096) returning 0x15e4630
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756243 ArgusCalloc (1, 1096) returning 0x15e4a80
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756276 ArgusCalloc (1, 1096) returning 0x15e4ed0
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756301 ArgusCalloc (1, 1096) returning 0x15e5320
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756319 ArgusCalloc (1, 1096) returning 0x15e5770
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756334 ArgusCalloc (1, 1096) returning 0x15e5bc0
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756358 ArgusCalloc (1, 1096) returning 0x15e6010
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756384 ArgusCalloc (1, 1096) returning 0x15e6460
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756412 ArgusCalloc (1, 1096) returning 0x15e68b0
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756427 ArgusCalloc (1, 1096) returning 0x15e6d00
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756447 ArgusInitMallocList (1048) returning
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756469 ArgusInitModeler(0x7f1ddd3bd010) done
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756501 ArgusInitSource(0x7f1ddd6da010) returning 1
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756655 ArgusGetPackets (0x7f1ddd6da010) starting
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756747 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
>>> 0xa23
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.756810 setArgusInterfaceStatus(0x7f1ddd6da010, 1)
>>> Mar 31 02:13:45 argus argus[2593]: 31 Mar 14 02:13:45.756854
>>> ArgusGetInterfaceStatus: interface dna0 is up
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.757200 ArgusGetPackets: interface dna0 is selectable
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.757233 setArgusInterfaceStatus(0x7f1ddd6da010, 1)
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.826041 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.826082 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.826097 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.826110 ArgusOutputProcess() looping
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.826122 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.926225 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.926264 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.926279 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.926292 ArgusOutputProcess() looping
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.926305 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.957631 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>> 1396250025.957628 update 1396250026.157628 returning 1
>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:45.957676 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
>>> 0xa23
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.026405 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.026445 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.026460 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.026472 ArgusOutputProcess() looping
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.026485 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.126605 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.126644 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.126659 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.126671 ArgusOutputProcess() looping
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.126684 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.158386 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>> 1396250026.158385 update 1396250026.357628 returning 1
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.158427 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
>>> 0xa23
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.226786 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.226825 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.226843 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.226862 ArgusOutputProcess() looping
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.226896 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.327003 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.327042 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.327056 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.327069 ArgusOutputProcess() looping
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.327081 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.359104 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>> 1396250026.359103 update 1396250026.557628 returning 1
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.359145 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
>>> 0xa23
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.427189 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.427229 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.427243 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.427256 ArgusOutputProcess() looping
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.427268 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.527381 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.527420 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.527434 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.527447 ArgusOutputProcess() looping
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.527459 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.559826 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>> 1396250026.559825 update 1396250026.757628 returning 1
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.559880 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
>>> 0xa23
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.627571 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.627610 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.627625 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.627638 ArgusOutputProcess() looping
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.627652 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.727765 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.727804 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.727819 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.727836 ArgusOutputProcess() looping
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.727849 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.760559 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>> 1396250026.760557 update 1396250026.957628 returning 1
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.760600 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
>>> 0xa23
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.827946 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.827985 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.828000 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.828013 ArgusOutputProcess() looping
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.828026 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.928138 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.928177 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.928192 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.928205 ArgusOutputProcess() looping
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.928217 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.961354 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>> 1396250026.961353 update 1396250027.157628 returning 1
>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:46.961398 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
>>> 0xa23
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.028316 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.028355 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.028370 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.028383 ArgusOutputProcess() looping
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.028395 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.128499 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.128538 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.128553 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.128568 ArgusOutputProcess() looping
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.128580 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.162074 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>> 1396250027.162073 update 1396250027.357628 returning 1
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.162115 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
>>> 0xa23
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.228679 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.228718 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.228737 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.228750 ArgusOutputProcess() looping
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.228762 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.328888 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.328927 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.328942 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.328955 ArgusOutputProcess() looping
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.328968 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.362797 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>> 1396250027.362795 update 1396250027.557628 returning 1
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.362837 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
>>> 0xa23
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.429068 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.429107 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.429122 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.429135 ArgusOutputProcess() looping
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.429147 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.529254 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.529293 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.529307 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.529320 ArgusOutputProcess() looping
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.529333 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.563527 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>> 1396250027.563526 update 1396250027.757628 returning 1
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.563569 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
>>> 0xa23
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.629436 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.629475 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.629489 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.629502 ArgusOutputProcess() looping
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.629515 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.729622 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.729662 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.729676 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.729689 ArgusOutputProcess() looping
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.729702 ArgusOutputProcess() waiting for input list
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.764263 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>> 1396250027.764262 update 1396250027.957628 returning 1
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.764304 ArgusPushFrontList (0x1535090, 0x1535020, 1) returning
>>> 0xa23
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.829810 ArgusOutputStatusTime(0x15340f0) done
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.829849 ArgusOutputProcess() checking out clients
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.829863 ArgusOutputProcess() done with clients
>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31 Mar
>>> 14
>>> 02:13:47.829890 ArgusOutputProcess() looping
>>> Mar 31 02:13:47 argus rsyslogd-2177: imuxsock begins to drop messages
>>> from
>>> pid 2593 due to rate-limiting
>>> Mar 31 02:13:51 argus rsyslogd-2177: imuxsock lost 188 messages from pid
>>> 2593 due to rate-limiting
>>>
>>>
>>>
>>> Then everything after “ArgusGetPackets: interface dna0 is selectable"
>>> repeats over and over again.
>>>
>>> Not sure if this confirms or refutes your previous statement.
>>>
>>> -Jeff
>>>
>>> On 3/30/14, 12:14 PM, "Carter Bullard" <carter at qosient.com> wrote:
>>>
>>>> Jeffrey,
>>>> Did you create the .debug file in the argus home directory ?? This
>>>> turns
>>>> on
>>>> debug information generation. If you didn’t do this then:
>>>>
>>>> % touch .debug
>>>> % ./configure;make clean;make
>>>>
>>>> Seems like a lot of ARGUS_CAPTURE_DATA_LEN ?? I would recommend
>>>> something like 128, or 256 ???
>>>>
>>>> I suspect that the PF_RING stuff doesn’t work with select(), and we’re
>>>> sitting
>>>> on a select() waiting to be notified that a packet is available to
>>>> read.
>>>> Your
>>>> debug information should tell us if it thinks the interface is
>>>> selectable
>>>> or not.
>>>>
>>>> Carter
>>>>
>>>> On Mar 30, 2014, at 12:45 PM, Reynolds, Jeffrey
>>>> <JReynolds at utdallas.edu>
>>>> wrote:
>>>>
>>>>> Ok, I’ve recompiled 3.0.7.5 from unmodified source. I’m running with
>>>>> the
>>>>> following config file options:
>>>>>
>>>>> ARGUS_FLOW_TYPE="Bidirectional"
>>>>> ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
>>>>> ARGUS_DAEMON=yes
>>>>> ARGUS_INTERFACE=dna0
>>>>> ARGUS_OUTPUT_FILE=/var/data/argus-out
>>>>> ARGUS_SET_PID=yes
>>>>> ARGUS_PID_PATH="/var/run"
>>>>> ARGUS_FLOW_STATUS_INTERVAL=5
>>>>> ARGUS_MAR_STATUS_INTERVAL=60
>>>>> ARGUS_DEBUG_LEVEL=8
>>>>> ARGUS_GENERATE_RESPONSE_TIME_DATA=yes
>>>>> ARGUS_GENERATE_MAC_DATA=yes
>>>>> ARGUS_CAPTURE_DATA_LEN=1500
>>>>>
>>>>>
>>>>> After running:
>>>>>
>>>>> argus -F argus.conf
>>>>>
>>>>> I’m still getting 128 byte argus-out files, but I’m not seeing any
>>>>> debug
>>>>> information. However, /var/log/messages now shows the interface
>>>>> coming
>>>>> up
>>>>> more in line with the what I’d expect:
>>>>>
>>>>> Mar 30 05:21:29 argus argus[31395]: 30 Mar 14 05:21:29.114830 started
>>>>> Mar 30 05:21:29 argus argus[31395]: 30 Mar 14 05:21:29.130717 started
>>>>> Mar 30 05:21:29 argus argus[31395]: 30 Mar 14 05:21:29.156439
>>>>> ArgusGetInterfaceStatus: interface dna0 is up
>>>>> Mar 30 05:21:46 argus argus[31395]: 30 Mar 14 05:21:46.418902 stopped
>>>>>
>>>>>
>>>>> I checked ifconfig, and it claims that dna0 is running in PROMISC
>>>>> mode.
>>>>> It’s strange that I’m not seeing any debug info at the command line
>>>>> of
>>>>> in
>>>>> /var/log/messages. I’ve tried specifying it in the config file and
>>>>> at
>>>>> the
>>>>> command line, but I haven’t sen any additional output. Perhaps I
>>>>> didn’t
>>>>> have one of the dependencies installed when I ran the configure
>>>>> script,
>>>>> and something isn’t working properly? Also, I see that libpcap can be
>>>>> recompiled with PF_Ring support. Maybe I’ve missed something obvious
>>>>> here, but as Argus seems to depend on libpcap, do I need to recompile
>>>>> it
>>>>> with PF_Ring capabilities?
>>>>>
>>>>> -Jeff
>>>>>
>>>>> On 3/29/14, 10:00 AM, "Carter Bullard" <carter at qosient.com> wrote:
>>>>>
>>>>>> Hey Jeffery,
>>>>>> Sorry for the delayed response... and thanks Craig for taking the
>>>>>> thread
>>>>>> !!! The 128 byte records are management records, which are
>>>>>> basically
>>>>>> keep alive like status messages for down stream readers of data.
>>>>>> They
>>>>>> indicate that the sensor is alive.
>>>>>>
>>>>>> But you definately aren't getting any packets from the interfaces.
>>>>>> You
>>>>>> shouldn't need to modify the source for this to work. I'm pretty
>>>>>> sure
>>>>>> Craig doesn't modify his. So with a standard release, run argus the
>>>>>> way
>>>>>> you think you should with the -D8 option, so we can see what is up
>>>>>> for
>>>>>> 5-10 seconds or so, and send the output to the list.
>>>>>>
>>>>>> We should see a statement that the interface is up. We need to get
>>>>>> that
>>>>>> far before we'll try to read packets.
>>>>>>
>>>>>> Carter
>>>>>>
>>>>>>
>>>>>>> On Mar 28, 2014, at 3:42 PM, "Reynolds, Jeffrey"
>>>>>>> <JReynolds at utdallas.edu> wrote:
>>>>>>>
>>>>>>> Ok, I¹m almost sure there are issues with Argus and the code I¹ve
>>>>>>> modified. To rehash, I¹ve changed line grabbed argus-3.0.7.5 and
>>>>>>> I¹ve
>>>>>>> chagned the following line in argus/ArgusSource.c
>>>>>>>
>>>>>>> 4331
>>>>>>>
>>>>>>> - if ((strstr(device->name, "dag")) || (strstr(device->name,
>>>>>>> "napa"))) {
>>>>>>>
>>>>>>> + if (strstr(device->name, "dag") || strstr(device->name, "nap") ||
>>>>>>> strstr(device->name, "dna") || (strstr(device->name, "eth") &&
>>>>>>> strstr(device->name, "@"))) {
>>>>>>>
>>>>>>> I¹ve also tried:
>>>>>>>
>>>>>>> + if ((strstr(device->name, "dag")) || (strstr(device->name,
>>>>>>> "nap"))
>>>>>>> ||
>>>>>>> (strstr(device->name, "dna")) || (strstr(device->name, "eth") &&
>>>>>>> strstr(device->name, "@"))) {
>>>>>>>
>>>>>>>
>>>>>>> As I wasn¹t sure if the paren the strstr statements had to be
>>>>>>> enclosed
>>>>>>> in
>>>>>>> their own set of parens. Anyway, in both instances, I¹ll try to run
>>>>>>> Argus
>>>>>>> and wind up with a 128 byte file. For example:
>>>>>>>
>>>>>>> $ argus -i dna0 -w /var/data/argus-out -s 1500
>>>>>>> (wait about 20 seconds)
>>>>>>> $ ls -l /var/data
>>>>>>> -rw-r--r--. 1 argus argus 128 Mar 28 07:46 argus-out
>>>>>>>
>>>>>>> When I run with the vanilla drivers, and my interface is not ³dna0²
>>>>>>> but
>>>>>>> ³em1², then I get better results.
>>>>>>>
>>>>>>> # rmmod ixgbe
>>>>>>> # modprobe ixgbe #pulling from /lib/modules/`uname -r`
>>>>>>>
>>>>>>> $ rm argus-out
>>>>>>> rm: remove regular file `argus-out'? y
>>>>>>> $ argus -i em1 -w /var/data/argus-out -s 1500
>>>>>>> (wait about 20 seconds)
>>>>>>> $ ls -l /var/data
>>>>>>> -rw-r--r--. 1 argus argus 2392260 Mar 28 07:46 argus-out
>>>>>>>
>>>>>>>
>>>>>>> The real kicker seems to be in /var/log/messages. When running
>>>>>>> argus
>>>>>>> on
>>>>>>> em1 with the original ixgbe driver, I get the following output in
>>>>>>> /var/log/messages:
>>>>>>>
>>>>>>>
>>>>>>> Mar 28 05:14:52 argus argus[23142]: 28 Mar 14 05:14:52.865660
>>>>>>> started
>>>>>>> Mar 28 05:14:52 argus argus[23142]: 28 Mar 14 05:14:52.882755
>>>>>>> started
>>>>>>> Mar 28 05:14:52 argus kernel: device em1 entered promiscuous mode
>>>>>>> Mar 28 05:14:52 argus argus[23142]: 28 Mar 14 05:14:52.932220
>>>>>>> ArgusGetInterfaceStatus: interface em1 is up
>>>>>>> Mar 28 05:15:18 argus argus[23142]: 28 Mar 14 05:15:18.812342
>>>>>>> stopped
>>>>>>>
>>>>>>>
>>>>>>> However, when running with the DNA driver, the output is as follows:
>>>>>>>
>>>>>>> Mar 28 08:33:16 argus argus[23915]: 28 Mar 14 08:33:16.967530
>>>>>>> started
>>>>>>> Mar 28 08:33:16 argus argus[23915]: 28 Mar 14 08:33:16.985055
>>>>>>> started
>>>>>>> Mar 28 08:33:50 argus argus[23915]: 28 Mar 14 08:33:50.667199
>>>>>>> stopped
>>>>>>>
>>>>>>>
>>>>>>> Now the interface is in promiscuous mode, I can see the change in
>>>>>>> received
>>>>>>> packets rising considerably by just running ifconfig a few times. I
>>>>>>> think
>>>>>>> that for whatever reason, the function in Argus that outputs the
>>>>>>> ³ArgusGetInterfaceStatus² line isn¹t correctly interpreting dna0 as
>>>>>>> an
>>>>>>> appropriate interface.
>>>>>>>
>>>>>>> Does any of this sound remotely possible?
>>>>>>>
>>>>>>> -Jeff
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> On 3/27/14, 7:23 PM, "Craig Merchant" <cmerchant at responsys.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hey, Jeffrey...
>>>>>>>>
>>>>>>>> The configuration questions for the pf_ring and ixgbe drivers may
>>>>>>>> be
>>>>>>>> better answered on the ntop forums... But I'll do my best. Here
>>>>>>>> is
>>>>>>>> how
>>>>>>>> I load the drivers:
>>>>>>>>
>>>>>>>> insmod /lib/modules/2.6.32-220.el6.x86_64/updates/pf_ring.ko
>>>>>>>> /sbin/modprobe ixgbe MQ=0,0 RSS=1,1 num_rx_slots=32768
>>>>>>>>
>>>>>>>> ifconfig dna0 up promisc
>>>>>>>> ethtool -K dna0 tso off
>>>>>>>> ethtool -K dna0 gro off
>>>>>>>> ethtool -K dna0 lro off
>>>>>>>> ethtool -K dna0 gso off
>>>>>>>> ethtool -G dna0 tx 32768
>>>>>>>> ethtool -G dna0 rx 32768
>>>>>>>>
>>>>>>>> One thing I'm not clear on from your config is why you are using
>>>>>>>> pfdnacluster_master at all... That daemon is designed to split up
>>>>>>>> flows
>>>>>>>> and/or make copies of them to distribute to other applications. I
>>>>>>>> don't
>>>>>>>> think it's meant to aggregate two interfaces into one stream.
>>>>>>>> Normally
>>>>>>>> it's run with a -n parameter to tell it how many queues you want
>>>>>>>> traffic
>>>>>>>> divided up into. We use:
>>>>>>>>
>>>>>>>> pfdnacluster_master -d -c 10 -n 28,1 -m 0 -i dna0
>>>>>>>>
>>>>>>>> In this case, -n says "divide up one copy of the traffic into 28
>>>>>>>> queues"
>>>>>>>> and "create one copy of all the traffic on the last queue". The
>>>>>>>> apps
>>>>>>>> accessing the first 28 queues (Snort) would connect to
>>>>>>>> dnacluster:10 at 0
>>>>>>>> -
>>>>>>>> dnacluster:10 at 27. Argus connects to dnacluster:10 at 28 and would
>>>>>>>> see
>>>>>>>> a
>>>>>>>> copy of all of the traffic.
>>>>>>>>
>>>>>>>> If all you are looking to do is combine traffic from two interfaces
>>>>>>>> into
>>>>>>>> one, why not just run argus with -i dna0,dna1?
>>>>>>>>
>>>>>>>> For testing, I would try the following to see where you might be
>>>>>>>> having
>>>>>>>> problems:
>>>>>>>>
>>>>>>>> pfcount -i dna0
>>>>>>>> pfcount -i dna1
>>>>>>>> pfcount -i dna0,dna1
>>>>>>>> pfcount -i dnacluster:10
>>>>>>>> pfcount -i dnacluster:10 at 0
>>>>>>>>
>>>>>>>> Let me know if that helps...
>>>>>>>>
>>>>>>>> Craig
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Reynolds, Jeffrey [mailto:JReynolds at utdallas.edu]
>>>>>>>> Sent: Thursday, March 27, 2014 3:18 PM
>>>>>>>> To: Craig Merchant; Carter Bullard
>>>>>>>> Cc: Argus
>>>>>>>> Subject: Re: [ARGUS] Multi-Instanced Argus
>>>>>>>>
>>>>>>>> So I understand this is from a while ago, but here is what I have.
>>>>>>>> Craig, maybe you can show me how I'm doing it wrong.
>>>>>>>>
>>>>>>>> I finally got PF_Ring and libzero licensed correctly so that
>>>>>>>> pfdnacluster
>>>>>>>> isn't limited to 5 minutes of capture. I downloaded the Argus
>>>>>>>> source,
>>>>>>>> installed the dependencies, and compiled after making the change
>>>>>>>> you
>>>>>>>> noted below. However, I don't seem to be properly attaching argus
>>>>>>>> to
>>>>>>>> my
>>>>>>>> devices to allow it to capture. I have a feeling its something to
>>>>>>>> do
>>>>>>>> with my PF_Ring or dna-ixgbe conf files. We have two interfaces to
>>>>>>>> monitor, which I've previously combined into one by using
>>>>>>>> pfdnacluster_master. However, it looks like I can't get Argus to
>>>>>>>> hook
>>>>>>>> into that or a single dan interface. Anyway, after make
>>>>>>>> installing,
>>>>>>>> I
>>>>>>>> run the following command with the following result:
>>>>>>>>
>>>>>>>> #pfdnacluster_master -i dna0,dna1 -c 10
>>>>>>>> #argus -i dnacluster:10 -s 1500 -w /var/data/argus-out
>>>>>>>>
>>>>>>>> My /var/log/messages says that the specified interface doesn't
>>>>>>>> exist,
>>>>>>>> which I kind of expected.
>>>>>>>> So I tried this (without pfdnacluster running):
>>>>>>>>
>>>>>>>> #argus -i dna0 -s 1500 -w /var/data/argus-out
>>>>>>>>
>>>>>>>> This time argus appears to have started, but my output file is not
>>>>>>>> growing (it initial starts at 128 bytes and increases by that same
>>>>>>>> amount
>>>>>>>> every 30 seconds or so).
>>>>>>>>
>>>>>>>> In case this happens to be the parameters I'm loading with my
>>>>>>>> kernel
>>>>>>>> modules, here they are:
>>>>>>>>
>>>>>>>> pf_ring.ko transparenet_mode=2
>>>>>>>> (I've also tried 0, with similar results) ixgbe.ko RSS=1,1,1,1 (I
>>>>>>>> wasn't
>>>>>>>> seeing all of the traffic from my interfaces with the default
>>>>>>>> config,
>>>>>>>> the
>>>>>>>> ntop folks recommended this, I need to dig further into the docs to
>>>>>>>> learn
>>>>>>>> more about these parameters).
>>>>>>>>
>>>>>>>> To answer your original question, I'm only monitoring about ~2Gbps,
>>>>>>>> significantly less then you are. I'm not sure if what I've noticed
>>>>>>>> would
>>>>>>>> be considered "gaps", but we do see exchanges where the server
>>>>>>>> appears
>>>>>>>> to
>>>>>>>> initiate conversations by sending a response to a client, which the
>>>>>>>> client doesn't appear to have requested. I'm guess the missing
>>>>>>>> request
>>>>>>>> was most likely a packet that didn't get captured.
>>>>>>>>
>>>>>>>> Any configuration suggestions would be much appreciated.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Jeff
>>>>>>>>
>>>>>>>>
>>>>>>>> From: Craig Merchant
>>>>>>>> <cmerchant at responsys.com<mailto:cmerchant at responsys.com>>
>>>>>>>> Date: Wednesday, March 12, 2014 at 6:39 PM
>>>>>>>> To: Carter Bullard <carter at qosient.com<mailto:carter at qosient.com>>,
>>>>>>>> Jeff
>>>>>>>> Reynolds <jjr140030 at utdallas.edu<mailto:jjr140030 at utdallas.edu>>
>>>>>>>> Cc: Argus
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> <argus-info at lists.andrew.cmu.edu<mailto:argus-info at lists.andrew.cmu.
>>>>>>>> ed
>>>>>>>> u>
>>>>>>>>>
>>>>>>>> Subject: RE: [ARGUS] Multi-Instanced Argus
>>>>>>>>
>>>>>>>> We're running Argus and Snort of PF_RING's DNA/Libzero drivers. We
>>>>>>>> decided to use Libzero because the standard DNA drivers limit the
>>>>>>>> number
>>>>>>>> of memory "queues" containing network traffic to 16. Each queue
>>>>>>>> can
>>>>>>>> only
>>>>>>>> be accessed by a single process and our sensors have 32 cores, so
>>>>>>>> we
>>>>>>>> wouldn't be able to run the maximum number of Snort instances
>>>>>>>> without
>>>>>>>> it.
>>>>>>>>
>>>>>>>> We use the pfdnaclustermaster app to spread flows across 28 queues
>>>>>>>> for
>>>>>>>> snort and also maintain a copy of all flows in a queue for Argus.
>>>>>>>>
>>>>>>>> To get it to work, all I had to do was make a slight edit to
>>>>>>>> ArgusSource.c so that Argus would recognize DNA/Libzero queues as a
>>>>>>>> valid
>>>>>>>> interface.
>>>>>>>>
>>>>>>>> Somewhere around line 4191 (for argus 3.0.7):
>>>>>>>>
>>>>>>>>
>>>>>>>> - if ((strstr(device->name, "dag")) || (strstr(device->name,
>>>>>>>> "napa"))) {
>>>>>>>>
>>>>>>>> + if (strstr(device->name, "dag") || strstr(device->name, "nap") ||
>>>>>>>> + strstr(device->name, "dna") || (strstr(device->name, "eth") &&
>>>>>>>> + strstr(device->name, "@"))) {
>>>>>>>>
>>>>>>>> Our data centers do around 4-8 Gbps 24/7. From what I recall,
>>>>>>>> there
>>>>>>>> is
>>>>>>>> (or was) a bug in PF_RING that caused Argus to run at 100% all of
>>>>>>>> the
>>>>>>>> time, but in my experience Argus wasn't having problems keeping up
>>>>>>>> with
>>>>>>>> our volume of data. We did see an unusually high number of flows
>>>>>>>> that
>>>>>>>> Argus couldn't determine the direction of, but we weren't seeing
>>>>>>>> gaps
>>>>>>>> in
>>>>>>>> the packets or anything else to suggest that Argus couldn't handle
>>>>>>>> the
>>>>>>>> volume.
>>>>>>>>
>>>>>>>> How much traffic are you sending at Argus? Have you tried
>>>>>>>> searching
>>>>>>>> your
>>>>>>>> Argus records for flows that have gaps in them? That would be a
>>>>>>>> pretty
>>>>>>>> good indicator that Argus may have trouble keeping up. Or that
>>>>>>>> your
>>>>>>>> SPAN
>>>>>>>> port can't handle the load...
>>>>>>>>
>>>>>>>> Thx.
>>>>>>>>
>>>>>>>> Craig
>>>>>>>>
>>>>>>>> From:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> argus-info-bounces+cmerchant=responsys.com at lists.andrew.cmu.edu<mail
>>>>>>>> to
>>>>>>>> :a
>>>>>>>> rg
>>>>>>>> us-info-bounces+cmerchant=responsys.com at lists.andrew.cmu.edu>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> [mailto:argus-info-bounces+cmerchant=responsys.com at lists.andrew.cmu.
>>>>>>>> ed
>>>>>>>> u]
>>>>>>>> On Behalf Of Carter Bullard
>>>>>>>> Sent: Wednesday, March 12, 2014 1:57 PM
>>>>>>>> To: Reynolds, Jeffrey
>>>>>>>> Cc: Argus
>>>>>>>> Subject: Re: [ARGUS] Multi-Instanced Argus
>>>>>>>>
>>>>>>>> Hey Jeffery,
>>>>>>>> Good so far. This seem like the link for accelerating snort with
>>>>>>>> PF_RING DNA ??
>>>>>>>> http://www.ntop.org/pf_ring/accelerating-snort-with-pf_ring-dna/
>>>>>>>>
>>>>>>>> I'm interested in the symmetric RSS and if it works properly.
>>>>>>>> Are you running the PF_RING DNA DAQ ????
>>>>>>>>
>>>>>>>> It would seem that we'll have to modify argus to use this facility
>>>>>>>> ???
>>>>>>>>
>>>>>>>> Carter
>>>>>>>>
>>>>>>>> On Mar 12, 2014, at 3:26 PM, Reynolds, Jeffrey
>>>>>>>> <JReynolds at utdallas.edu<mailto:JReynolds at utdallas.edu>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> First, before we dive into to it too deep, how is the performance
>>>>>>>> ??
>>>>>>>>
>>>>>>>> This actually seems like a great place to start. Before getting
>>>>>>>> too
>>>>>>>> heavy into PF_RING integration, maybe I should offer a bit of
>>>>>>>> backstory.
>>>>>>>> Our main goal is just to archive traffic. We have a server running
>>>>>>>> CentOS 6 that receives traffic from two SPAN ports. The only
>>>>>>>> thing
>>>>>>>> we
>>>>>>>> want to accomplish is to maintain a copy of that traffic for some
>>>>>>>> period
>>>>>>>> of time. Argus was used because it seemed to be the best tool for
>>>>>>>> the
>>>>>>>> price, and it comes with a lot of great features that while we may
>>>>>>>> not
>>>>>>>> use now, we may use later (again, for right now all we want is a
>>>>>>>> copy
>>>>>>>> of
>>>>>>>> the traffic to be able to perform forensics on).
>>>>>>>>
>>>>>>>> Now, I put up a single instance of Argus and pointed it at the
>>>>>>>> interface
>>>>>>>> that was the master of our two bonded physical NICs (eth0 and eth1
>>>>>>>> are
>>>>>>>> bonded to bond0). I let it run for an hour to get some preliminary
>>>>>>>> numbers. I ran an recount against my output file and got the
>>>>>>>> following
>>>>>>>> stats:
>>>>>>>>
>>>>>>>> racount -t 2014y3m12d05h -r argus-out
>>>>>>>> racount records total_pkts src_pkts dst_pkts total_bytes src_bytes
>>>>>>>> dst_bytes sum 14236180 187526800 98831765 88695035 212079839908
>>>>>>>> 102889789820 109190050088
>>>>>>>>
>>>>>>>> However, the switch the switch sending that traffic reported that
>>>>>>>> it
>>>>>>>> had
>>>>>>>> sent a total of 421,978,297 packets to both interfaces, and a
>>>>>>>> total
>>>>>>>> of
>>>>>>>> 371,307,051,815 bytes for that time frame. I could be interpreting
>>>>>>>> something incorrectly, so maybe the best first thing for me to
>>>>>>>> confirm
>>>>>>>> is
>>>>>>>> that we are in fact losing a lot of traffic. But it seems that a
>>>>>>>> single
>>>>>>>> argus instance can't keep up with the traffic. I've seen this
>>>>>>>> happen
>>>>>>>> with Snort, and our solution was to plug Snort into PF_RING to
>>>>>>>> allow
>>>>>>>> the
>>>>>>>> traffic to be intelligently forwarded via the Snort Data
>>>>>>>> Acquisition
>>>>>>>> Library (DAQ). From the perspective of someone who hasn't had a
>>>>>>>> lot
>>>>>>>> of
>>>>>>>> exposure to this level of hardware configuration, it was relatively
>>>>>>>> easy
>>>>>>>> to plug the configuration parameters in at the Snort command line
>>>>>>>> to
>>>>>>>> have
>>>>>>>> them all point at the same traffic source so that each individual
>>>>>>>> process
>>>>>>>> didn't run through the same traffic. My hope was that there might
>>>>>>>> just
>>>>>>>> be some parameters to set within the argus.conf file which would
>>>>>>>> tell
>>>>>>>> each process to pull from a single PF_RING source. However, it
>>>>>>>> looks
>>>>>>>> like this might not be as easy as I had once thought.
>>>>>>>>
>>>>>>>> Am I on the right track or does this make even a little sense?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Jeff
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> From: Carter Bullard
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> <carter at qosient.com<mailto:carter at qosient.com><mailto:carter at qosient
>>>>>>>> .c
>>>>>>>> om
>>>>>>>>>>
>>>>>>>> Date: Wednesday, March 12, 2014 at 9:54 AM
>>>>>>>> To: "Reynolds, Jeffrey"
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> <JReynolds at utdallas.edu<mailto:JReynolds at utdallas.edu><mailto:JReyno
>>>>>>>> ld
>>>>>>>> s@
>>>>>>>> ut
>>>>>>>> dallas.edu>>
>>>>>>>> Cc: Argus
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> <argus-info at lists.andrew.cmu.edu<mailto:argus-info at lists.andrew.cmu.
>>>>>>>> ed
>>>>>>>> u>
>>>>>>>> <m
>>>>>>>> ailto:argus-info at lists.andrew.cmu.edu>>
>>>>>>>> Subject: Re: [ARGUS] Multi-Instanced Argus
>>>>>>>>
>>>>>>>> Hey Jeffrey,
>>>>>>>> I am very interested in this approach, but I have no experience
>>>>>>>> with
>>>>>>>> this
>>>>>>>> PF_RING feature, so I'll have to give you the "design response".
>>>>>>>> Hopefully, we can get this to where its doing exactly what anyone
>>>>>>>> would
>>>>>>>> want it to do, and get us a really fast argus, on the cheap.
>>>>>>>>
>>>>>>>> First, before we dive into to it too deep, how is the performance
>>>>>>>> ??
>>>>>>>> Are
>>>>>>>> you getting bi-directional flows out of this scheme ?? Are you
>>>>>>>> seeing
>>>>>>>> all the traffic ??? If so, then congratulations !!! If the
>>>>>>>> performance
>>>>>>>> is good, your seeing all the traffic, but you're only getting
>>>>>>>> uni-directional flows, then we may have some work to do, but still
>>>>>>>> congratulations !!! If you're not getting all the traffic then we
>>>>>>>> have
>>>>>>>> some real work to do, as one of the purposes of argus is to
>>>>>>>> monitor
>>>>>>>> all
>>>>>>>> the traffic.
>>>>>>>>
>>>>>>>> OK, so my understanding is that the PF_RING can do some packet
>>>>>>>> routing
>>>>>>>> to
>>>>>>>> a non-overlapping set of tap interfaces. Routing is based on some
>>>>>>>> classification scheme, designed to make this usable. The purpose
>>>>>>>> is
>>>>>>>> to
>>>>>>>> provide coarse grain parallelism for packet processing. The idea,
>>>>>>>> as
>>>>>>>> much as I can tell, is to prevent multiple readers from having to
>>>>>>>> read
>>>>>>>> from the same queue; eliminating locking issues, which kills
>>>>>>>> performance
>>>>>>>> etc...
>>>>>>>>
>>>>>>>> So, I'm not sure what you mean by "pulling from the same queue".
>>>>>>>> If
>>>>>>>> you
>>>>>>>> do have multiple argi reading the same packet, you will end up
>>>>>>>> counting a
>>>>>>>> single packet multiple times. Not a terrible thing, but not
>>>>>>>> recommended.
>>>>>>>> Its not that you're creating multiple observation domains using
>>>>>>>> this
>>>>>>>> PF_RING technique. You're really splitting a single packet
>>>>>>>> observation
>>>>>>>> domain into a multi-sensor facility ... eventually you will want to
>>>>>>>> combine the total argus output into a single output stream, that
>>>>>>>> represents the single packet observation domain. At least that is
>>>>>>>> my
>>>>>>>> thinking, and I would recommend that you use radium to connect to
>>>>>>>> all
>>>>>>>> of
>>>>>>>> your argus instances, rather than writing the argus output to a
>>>>>>>> set
>>>>>>>> of
>>>>>>>> files. Radium will generate a single argus data output stream,
>>>>>>>> representing the argus data from the single observation domain.
>>>>>>>>
>>>>>>>> The design issue of using the PF_RING function is "how is PF_RING
>>>>>>>> classifying packets to do the routing?".
>>>>>>>> We would like for it to send packets that belong to the same
>>>>>>>> bi-directional flow to the same virtual interface, so argus can do
>>>>>>>> its
>>>>>>>> bi-directional thing. PF_RING claims that you can provide your own
>>>>>>>> classifier logic, which we can do to make this happen. We have a
>>>>>>>> pretty
>>>>>>>> fast bidirectional hashing scheme which we can try out.
>>>>>>>>
>>>>>>>> We have a number of people that are using netmap instead of
>>>>>>>> PF_RING.
>>>>>>>> My
>>>>>>>> understanding is that it also has this same type of feature. If
>>>>>>>> we
>>>>>>>> can
>>>>>>>> get some people talking about that, that would help a bit.
>>>>>>>>
>>>>>>>> Carter
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mar 12, 2014, at 1:03 AM, Reynolds, Jeffrey
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> <JReynolds at utdallas.edu<mailto:JReynolds at utdallas.edu><mailto:JReyno
>>>>>>>> ld
>>>>>>>> s@
>>>>>>>> ut
>>>>>>>> dallas.edu>> wrote:
>>>>>>>>
>>>>>>>> Howdy All,
>>>>>>>>
>>>>>>>> So after forever and a day, I've finally found time to start
>>>>>>>> working
>>>>>>>> on
>>>>>>>> my multi-instanced argus configuration. Here is my setup:
>>>>>>>>
>>>>>>>> -CentOS 6.5 x64
>>>>>>>> -pfring driver compiled from source
>>>>>>>> -pfring capable Intel NICs (currently using the ixgbe driver
>>>>>>>> version
>>>>>>>> 3.15.1-k) (these NICs are in a bonded configuration under a device
>>>>>>>> named
>>>>>>>> bond0)
>>>>>>>>
>>>>>>>> I've configured my startup script to start 5 instances of Argus,
>>>>>>>> each
>>>>>>>> with there own /etc/argusX.conf file (argus1.conf, argus2.conf,
>>>>>>>> etc).
>>>>>>>> The start up script correctly assigns the proper pid file to each
>>>>>>>> instance, and everything starts and stops smoothly. Each instance
>>>>>>>> is
>>>>>>>> writing an output file to /var/argus in the format of argusX.out.
>>>>>>>> When I
>>>>>>>> first tried running my argus instances, I ran them with a version
>>>>>>>> of
>>>>>>>> PF_RING I had installed from an RPM obtained from the ntop repo.
>>>>>>>> Things
>>>>>>>> didn't seem to work correctly, so I tried again after I had
>>>>>>>> compiled
>>>>>>>> from
>>>>>>>> source. After compiling from source, I got the following output in
>>>>>>>> /var/log/messages when I started argus:
>>>>>>>>
>>>>>>>> Mar 11 17:48:16 argus kernel: No module found in object Mar 11
>>>>>>>> 17:49:16
>>>>>>>> argus kernel: [PF_RING] Welcome to PF_RING 5.6.3 ($Revision:
>>>>>>>> 7358$)
>>>>>>>> Mar
>>>>>>>> 11 17:49:16 argus kernel: (C) 2004-14
>>>>>>>> ntop.org<http://ntop.org/><http://ntop.org<http://ntop.org/>>
>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] registered
>>>>>>>> /proc/net/pf_ring/
>>>>>>>> Mar
>>>>>>>> 11 17:49:16 argus kernel: NET: Registered protocol family 27 Mar 11
>>>>>>>> 17:49:16 argus kernel: [PF_RING] Min # ring slots 4096
>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] Slot version 15
>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] Capture TX Yes
>>>>>>>> [RX+TX]
>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] Transparent Mode 0
>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] IP Defragment No
>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] Initialized correctly Mar
>>>>>>>> 11
>>>>>>>> 17:49:35 argus kernel: Bluetooth: Core ver 2.15 Mar 11 17:49:35
>>>>>>>> argus
>>>>>>>> kernel: NET: Registered protocol family 31 Mar 11 17:49:35 argus
>>>>>>>> kernel:
>>>>>>>> Bluetooth: HCI device and connection manager initialized Mar 11
>>>>>>>> 17:49:35
>>>>>>>> argus kernel: Bluetooth: HCI socket layer initialized Mar 11
>>>>>>>> 17:49:35
>>>>>>>> argus kernel: Netfilter messages via NETLINK v0.30.
>>>>>>>> Mar 11 17:49:35 argus argus[13918]: 11 Mar 14 17:49:35.643243
>>>>>>>> started
>>>>>>>> Mar
>>>>>>>> 11 17:49:35 argus argus[13918]: 11 Mar 14 17:49:35.693930 started
>>>>>>>> Mar
>>>>>>>> 11
>>>>>>>> 17:49:35 argus kernel: device bond0 entered promiscuous mode Mar 11
>>>>>>>> 17:49:35 argus kernel: device em1 entered promiscuous mode Mar 11
>>>>>>>> 17:49:35 argus kernel: device em2 entered promiscuous mode Mar 11
>>>>>>>> 17:49:35 argus argus[13918]: 11 Mar 14 17:49:35.721490
>>>>>>>> ArgusGetInterfaceStatus: interface bond0 is up Mar 11 17:49:36
>>>>>>>> argus
>>>>>>>> argus[13922]: 11 Mar 14 17:49:36.349202 started Mar 11 17:49:36
>>>>>>>> argus
>>>>>>>> argus[13922]: 11 Mar 14 17:49:36.364625 started Mar 11 17:49:36
>>>>>>>> argus
>>>>>>>> argus[13922]: 11 Mar 14 17:49:36.383623 ArgusGetInterfaceStatus:
>>>>>>>> interface bond0 is up Mar 11 17:49:37 argus argus[13926]: 11 Mar 14
>>>>>>>> 17:49:37.045224 started Mar 11 17:49:37 argus argus[13926]: 11 Mar
>>>>>>>> 14
>>>>>>>> 17:49:37.060689 started Mar 11 17:49:37 argus argus[13926]: 11 Mar
>>>>>>>> 14
>>>>>>>> 17:49:37.079706 ArgusGetInterfaceStatus: interface bond0 is up Mar
>>>>>>>> 11
>>>>>>>> 17:49:37 argus argus[13930]: 11 Mar 14 17:49:37.753278 started Mar
>>>>>>>> 11
>>>>>>>> 17:49:37 argus argus[13930]: 11 Mar 14 17:49:37.768613 started Mar
>>>>>>>> 11
>>>>>>>> 17:49:37 argus argus[13930]: 11 Mar 14 17:49:37.785691
>>>>>>>> ArgusGetInterfaceStatus: interface bond0 is up Mar 11 17:49:38
>>>>>>>> argus
>>>>>>>> argus[13934]: 11 Mar 14 17:49:38.449229 started Mar 11 17:49:38
>>>>>>>> argus
>>>>>>>> argus[13934]: 11 Mar 14 17:49:38.466365 started Mar 11 17:49:38
>>>>>>>> argus
>>>>>>>> argus[13934]: 11 Mar 14 17:49:38.485675 ArgusGetInterfaceStatus:
>>>>>>>> interface bond0 is up
>>>>>>>>
>>>>>>>> Aside from the "No module found in object" error, everything seems
>>>>>>>> like
>>>>>>>> its working Ok. The only problem is that I don't seem to have my
>>>>>>>> argus
>>>>>>>> instances configured to pull traffic from the same queue. In other
>>>>>>>> words, I have five output files from five argus instances with like
>>>>>>>> traffic in all of them. I haven't made any changes to my argus
>>>>>>>> config
>>>>>>>> files, aside from telling them to write to different locations and
>>>>>>>> the
>>>>>>>> name of the interface. I know I'm missing something but I'm not
>>>>>>>> quite
>>>>>>>> sure what it is. If someone might be able to tell me how to
>>>>>>>> configure
>>>>>>>> these five instances to pull from the same PF_RING queue, I'd be
>>>>>>>> mighty
>>>>>>>> obliged. Let me know if I need to submit any additional
>>>>>>>> information.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Jeff Reynolds
>>>>>>>
>>>>>>>
>>>>>
>>>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140414/10039cd3/attachment.bin>
More information about the argus
mailing list