Multi-Instanced Argus
Craig Merchant
cmerchant at responsys.com
Thu Apr 17 13:13:54 EDT 2014
I think Carter was right that the "&&" was a typo. I was having weird character translation issues when copying and pasting stuff from Putty into Word... Sorry for the confusion!
Craig
-----Original Message-----
From: Reynolds, Jeffrey [mailto:JReynolds at utdallas.edu]
Sent: Thursday, April 17, 2014 9:48 AM
To: JReynolds at utdallas.edu; Carter Bullard
Cc: Craig Merchant; Argus
Subject: Re: [ARGUS] Multi-Instanced Argus
Actually, never mind. Just went back nd checked to see that Craig's
change was effectually A || B || (C && D). So kinda back to quare one
with that.
Jeff
On 4/17/14, 11:45 AM, "Reynolds, Jeffrey" <jjr140030 at utdallas.edu> wrote
>The problem is still stuck at not being able to see any packets from the
>DNA interface.
>
>ith the oriinal source, I get deug output stating that the interface is
>selectable, as well as the output sent
>
>When I run with the ource code modification suggested by Craig, (which
>hasn't been run in debug mode yet, /var/log/messages fails to report that
>the interface is being put into promiscuous mode. This in and of itsef
>doesn't seem like it would necessarily be a big thing,as the interfaces
>are already in PROMISC according to fconfig, but still no packets get
>aptured.
>
>When I run with the source code modification where I har code the
>"notselectable" variale, the output comes back that the interface is not
>selectable, and still n packets.
>
>I have yet to run with the mod that you just sent, bu it might be awhile
>before I have time to really try that out. I'm a little hesitant to put a
>lot of fith in it though, as the conditional to
>.
>actually, what would the order of operations b there?
>
>With (A || B || C && D), would that be true with conditions A, B, or CD;
>or would that betrue with conditions AD, BD, or CD? If the latter is
>correct, then the original mod might have been eactly what I needed, with
>just a little logic tweak. I'll check it out later.
>
>Jeff
>
>On 4/14/14, 11:29 AM, "Carter Bullard" <carter at qosient.com> wrote:
>
>>Hey Jeff,
>>So where are we on this problem ???
>>Its pretty clear thatyou aren't getting any packets.
>>
>>The modification that you tried to the source wasn't good logic,
>>with the"&&", it should be a "||", of course.
>>
>>4331
>>
>>- if ((strstr(device->name, "dag")) || (strstr(device->name, "napa"))) {
>>
>>+ if (strstr(device->name, "dag") || strstr(device->name, "nap") |
>>strstr(device->name, "dna") || (strstr(device->name, "eth") &&
>>strstr(device->nae, "@"))) {
>>
>>should be
>>
>>+ if (strstr(device->name, "dag") || strstr(device->name, "nap") ||
>strstr(device->name, "da") || (strstr(device->name, "eth") ||
>>strstr(device->name, "@"))) {
>>
>>Still having problems ???
>>
>>Carter
>>
>>On Apr 2, 2014, at 10:26 M, Reynolds, Jeffrey <JReynolds at utallas.edu>
>>wrote:
>>
>>> Carter,
>>>
>>> Thanks fr your response. The #define line is in
>>> ./include/argus_config.h, line 192. I made he modification you
>>> suggested, and stillo data is being writte. For sanity's sake, here
>>>is
>>> the change I made:
>>>
>>> #Old File
>>> 3750:#if !defined(CGWIN)
>> 3751:#if defined(ARGUS_PLURIBUS)
>>> 3752:int notselectable = 1;
>>> 3753:#else
>>> 3754:in notselectable = 0;
>>> 3755:#endif
>>> 3756:#endif
>>>
>>>
>>> #New File
>>> 3750:#if !defined(CYGWIN)
>>>
>>> 371:#if defined(ARGUS_PLURIBUS)
>>> 3752:int notslectable = 1;
>>> 3753:#else
>>> 3754:int notselectable = 1;
>>> 3755:#endif
>>> 3756:#endi
>>
>>>
>>>
>>> Checking the output in /var/log/messages, it seems the change made dna0
>>> not elctable
>>>
>>> Apr 2 02:42:20 argus argus[5749]: 02 Apr 14 02:42:20.613894
>>> ArgusGetInterfceStatus: interface dna0 is up
>>> Apr 2 02:42:20argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
>>>14
>>> 02:42:20.614645 ArgusGetPackets: interfae dna0 is no selectable
>>> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f7250947f0000]: 0 Apr
>>>14
>>> 02:42:20.61465 setArgusInterfaceStatus(0x7f4c095fe010, 1)
>>> Apr 2 02:42:20 argus agus[5749]:argus[5749.00f725094c7f0000]: 02 Apr
>>>14
>>> 02:42:20.614829 ArgusUpdateTime (x7f4c092e1010) global tim
>>> 1396424540.614715 update 1396424540.814715 returning 1
>>> pr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
>>>14
>>> 02:42:20.614854 AgusPushFrontList (0xa0f090, 0xa0f020, 1) returning
>>>0x1677
>> Apr 2 02:42:20 argus rgus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
>>>14
>>> 02:42:20.615672 ArgusUpdateTime (0x7f4c092e110) not time
>>> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
>>>14
>>> 02:42:20.615809 ArgusUpdateTime (0x7f4c092e1010) not time
>>> Apr 2 02:42:20 argus argus[5749]: args[5749.00f725094c7f0000]: 02 Apr
>>>14
>>> 02:42:20.615940 AgusUpdateTime (0x7f4c092e110) not time
>>> Apr 2 02:42:20 argus argus[5749]: argus[574900f725094c7f0000]: 02 Apr
>>>14
>> 02:42:20.616070 ArgusUpdateTime (0x7f4c092e1010) not time
>>> Apr 2 02:42:20 argus argus[5749]: argus5749.00f725094c7f0000]: 02 Apr
>>>14
>>> 02:42:20.616200 ArgusUpdateTime (07f4c092e1010) nt time
>>> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
>>>1
>>> 02:42:20.616313 ArgusUpdateTime (0x7f4c092e1010) not time
>>> Apr 2 0242:20 argus argus[5749]: argus[5749.00f72594c7f0000]: 02 Apr
>>>14
>>> 02:42:20.616443 ArgusUpdateTime (0x7f4c092e1010) not time
>>> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000: 02 Apr
>>>14
>>> 02:42:20.616572 ArgusUpdateTime (0x7f4c092e1010) not time
>>> Apr 2 02:42:20 argus argus5749]: argus[5749.00f725094c7f0000]: 02 Apr
>>>14
>>> 02:42:20.616705 ArgusUpdateTime (0xf4c092e1010) not time
>>> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
>>>14
>>> 02:4:20.616834 ArguspdateTime (0x7f4c092e1010) not time
>>> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]:02 Apr
>>>14
>>> 02:42:20.66963 ArgusUpdateTime (0x7f4c092e1010) not time
>>> Apr 2 02:4:20 argus argus[5749]: argus5749.00f725094c7f0000]: 02 Apr
>>>14
>>> 02:42:20.617092 ArgusUpdateTime (0x7f4c092e1010) not time
>>>
>>>
>>> What follows are a ton of the ArgusUpdaeTime lines, interspersed with:
>>>
>>> Apr 2 02:42:20 argus rsysogd-2177: imuxsock begins to drop messas
>>>from
>>> pid 5749 due to rate-limiting
>>> Apr 2 02:42:26 argus rsyslogd-277: imuxsock lost 43018 messages from
>>>pid
>>> 5749 due to rate-limiting
>>>
>>>
>>> And stuff like:
>>>
>>> Apr 2 02:42:32 argus argus[5749]: argus[5749.0097400a4c7f0000]: 02 Apr
>>>14
>>> 02:42:32.000755 ArgusOutputProcss() checking out clients
>>> Apr 2 02:42:32 argus argus[5749]: argus[5749.0097400a4c7f0000]: 02 Apr
>>>14
>>> 02:42:32.000772 ArgusOutputProcess() done with clients
>>> Apr 2 02:42:32 argus argus[5749]: argus[5749.0097400a4c7f0000: 02 Apr
>>>14
>>> 02:42:32.000790 ArgsOutputProcess() looping
>>> Apr 2 02:42:32 argus argus[5749]: agus[5749.0097400a4c7f0000]: 02 Apr
>>>14
>>> 02:42:32.000805 ArgusOutputProcess() waiting for input list
>>>
>>>
>>> Or:
>>>
>>> Apr 2 02:42:50 argus argus[5749]: argus[5749.00f725094c7f0000]:02 Apr
>>>14
>>> 02:42:50.014918 ArgusUpdateTime (0x7f4c092e1010) global time
>>> 13962457.014812 update 1396424570.214715 returning 1
>>> Apr 2 02:42:50 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
>>>14
>>> 0242:50.014938 ArguPushFrontList (0xa0f090, 0xa0f020, 1) returning
>>>0x1677
>>>
>>>
>>> Let me know if it miht be helpfl to get the entire log and I can send
>>>it
>>> to you.
>>>
>>> Jeff
>>>
>>
>>>
>>>
>>> On 4/2/14, 5:45 AM, "Carter Bullar" <carter at qosient.com> wrote:
>>> >>>> Hey Jeffrey,
>>>> Embedded in your debug list is the statement:
>>>>
>>>> Mar 31 02:13:45 args argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>Mar 14
>>>> 02:13:45.757200 ArgusGetPackets: interface dn0 is selectable
>>>>
>>>> and I suspect that it is not. Just curous, do you have this line
>>>> in your argus ./include/argus_config.h file ??
>>>>
>>>> #deine HAVE_PCAP_GET_SELECTABLE_FD 1
>>>> >>>> To get past this in the short term, just hard cde the selectable
>>>> status variable in the routineArgusGetPackets on line 3754. Here
>>>> is a diff:
>>>>
>>>> diff ArgusSource.c ArgusSource.c.new
>>>> 3756c3756
>>> < int notselectable = 0;
>>>> ---
>>>>> int otselectable = 1;
>>>>
>>>>
>>>> And ets see how that goes.
>>>>
>>>> Carter
>>>>
>>>>
>>> On Apr 1, 2014, at 3:38 PM, Reynolds, Jeffrey <Reynolds at utdallas.edu>
>>>> wrote:
>>>>
>>>>> Carter,
>>>>>
>>>>> Not sure if you got my other message ut I'll send it here as well. I
>>>>> looked at the log info nd I found the following out:
>>>>>
>>>> From STDOUT / STDERR:
>>>>>
>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 2:13:45.708823 ArgusCallc
>>>>>(1,
>>>>> 525016) returning 0x7f1ddfd42010
>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709007
>>>>> ArgusNewModeler()
>>>>> returning 0x7f1ddfd42010
>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 0:13:45.709036 ArgusCalloc
>>>>>(1,
>>>>> 4237776)returning 0x7f1dde6f4010
>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709055
>>>>>ArgusNewSource(0x7f1ddfd42010) returning 0x7f1dde6f4010
>>>>> argus[2592.0047dcdf1d7f0000]: 1 Mar 14 02:13:45.709073 ArgusCalloc
>>>>>(1,
>>>>> 336) returning 0x15340f0
>>>>> argus[2592.0047dcdf1df0000]: 31 ar 14 02:13:45.709087 ArgusCalloc
>>>>>(1,
>>>>> 152) returning 0x1534b60
>>>>> argus[2592.0047dcdf1d7f0000: 31 Mar 14 02:13:45.709098 ArgusNewQueue
>>>>>()
>>>>> returning 0x1534b60
>>>>> argus[2592.0047dcdf1d70000]: 31 Mar 14 02:13:45.709110 ArgusCalloc
>>>>>(1,
>>>> 152) returning 0x1534c00
>>>>> rgus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709121 ArgusNewList
>>>>>()
>>>>> returnin 0x1534c00
>>>>> argus[2592.0047ddf1d7f0000]: 31 Mar 14 02:13:45.709131 ArgusCalloc
>>>>>(1
>>>>> 152) returning 0x1534ca0
>>>>> argus[292.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709141 ArgusNewLit
>>>>>()
>>>>> returning 0x1534ca0
>>>>> argus[2592.0047dcdf17f0000]: 31 Mar 14 02:13:45709150
>>>>>ArgusNewOutput()
>>>>> returning retn 0x15340f0
>>>>> argus[259.0047dcdf1d7f0000]: 31Mar 14 02:13:45.709171
>>>>> setArgusMarReportInterval(60) returnng
>>>>> argus[2592.047dcdf1d7f0000]: 31 Mar 14 02:13:45.709252
>>>>> clearArgusDevice(0x7f1dde6f4010) returning
>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mr 14 02:13:45.709270 ArgusCalloc
>>>>>(1,
>>>>> 152) returning 0x1534f80
>>>>> argus[2592.007dcdf1d7f0000]: 31 Mar 14 02:13:45.709284 ArgusNewList
>>>>>()
>>>>> returning 0x1534f80
>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709303 ArgusCalloc
>>>>>(1,
>>>>> 64) returning 0x1535020
>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.79317
>>>>> ArgusPushFrontList
>>>>> (0x1534f80, 0x1535020, 1) returning 0xa20
>>>>> argus[2592.0047dcd1d7f0000]: 31 Mar 14 02:13:45.709331
>>>>> setArgusDevice(dna0) returning
>>>>> argus[2592.0047dcdf1d7f000]: 31 Mar 14 02:13:45.709345
>>>>>ArgusDeleteList
>>>>> ((nil), 2) returning
>>>>> argus[2592.0047dcf1d7f0000]: 31 Mar 14 02:13:45.709356 ArgusCalloc
>>>>>(1,
>>>>> 152) returning 0x1535090
>>>>> argus[292.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709366 ArgusNewList
>>>>>()
>>>>> returning 0x1535090
>>>>> arus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709376 ArgusCalloc
>>>>>(1,
>>>>> 24) returning 0x1534250
>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709386
>>>> ArgusPushFrontList
>>>>> (0x1535090, 0x1534250, 1) returning 0xa20
>>>>> argus[2592.0047dcf1d7f0000]: 31 Mar 14 02:13:45.709403
>>>>> setArgusMarReportInterval(60) returning
>>>>> arus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709440
>>>>> ArgusParseResourceFile (/etc/argus.conf) returning
>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709469 ArgusFree
>>>>> (0x1535020)
>>>>> argu[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709480
>>>>> clearArgusDevice(0x7f1dde6f4010) returning
>>>>> agus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709493 ArgusCalloc
>>>>>(1,
>>>>> 64) returning 0x1535020>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709503
>>>>> ArgusPushFrontList
>>>> (0x1534f80, 0x1535020, 1) returning 0xa20
>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 2:13:45.709514
>>>>> setArgusDevice(dna0 ) returning
>>>>> argus[2592.0047dcdf1d7f0000]: 31 ar 14 02:13:45.709526
>>>>>ArgusDeleteList
>>>>> (0x1535090, 2) 1 items on list
>>>>> argus[2592.0047dcdfd7f0000]: 31 Mar 14 02:13:45.709537 ArgusFree
>>>>> (0x1534250)
>>>>> argus[2592.0047dcdfd7f0000]: 31 Mar 14 02:13:45.709549 ArgusFree
>>>>> (0x1535090)
>>>>> argus[2592.0047dcdf1d7f000]: 31 Mar 14 02:13:45.709559
>>>>>ArgusDeleteList
>>>>> (0x1535090, 2) returning
>>>>> argus[2592.047dcdf1d7f0000]: 31 Mar 14 02:13:45.709569 ArgusCalloc
>>>>>(1,
>>>>> 152) returning 0x1535090
>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709579 ArgusNewList
>>>>>()
>>>>> returning 0x1535090
>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709588 ArgusCalloc
>>>>>(1,
>>>>> 24) returning 0x1534250
>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709598
>>>>> ArgusPushFrontList
>>>>> (0x1535090, 0x1534250, 1) returning 0xa20
>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709609
>>>>> setArgusInterfaceStatus(0x7f1dde6f4010, 1)
>>>>>
>>>>>
>>>>>
>>>>> Here is output from /var/log/messages:
>>>>>
>>>>> Mar 31 02:13:45 argus argus[2593]: 31 Mar 14 02:13:45.709952 started
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.710271 ArgusCalloc (1, 592056) returning 0x7f1ddfcb1010
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.725031 ArgusCalloc (1, 128) returning 0x15de1d0
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.725074 getArgusID(0x7f1dde6f4010) done
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.725094 getArgusIDType(0x7f1dde6f4010) done
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.725113 ArgusGenerateInitialMar() returning
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.725132 ArgusCalloc (1, 168) returning 0x15de260
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.725447 ArgusCalloc (1, 262256) returning 0x7f1ddfc70010
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.725472 ArgusCalloc (1, 152) returning 0x15de310
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.725489 ArgusNewList () returning 0x15de310
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.725506 ArgusNewSocket (4) returning 0x7f1ddfc70010
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.725548 ArgusPushBackList (0x1535090, 0x1534250, 1) returning
>>>>>1
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.725567 ArgusDeleteList (0x1535090, 2) 1 items on list
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.725581 ArgusFree (0x1534250)
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.725597 ArgusFree (0x1535090)
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.725610 ArgusDeleteList (0x1535090, 2) returning
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.725714 ArgusInitOutput() done
>>>>> Mar 31 02:13:45 argus argus[2593]: 31 Mar 14 02:13:45.725789 started
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.725794 ArgusOutputProcess(0x15340f0) starting
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.725923 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.725941 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.725807 ArgusCreatePIDFile(/var/run, argus) pidpath is
>>>>>/var/run
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.726043 ArgusPushFrontList (0x1534f80, 0x1535020, 1)
>>>>>returning
>>>>> 0xa21
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.726063 getArgusDevice(0x7f1dde6f4010) returning dna0
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.726606 ArgusCreatePIDFile(/var/run, argus) returning
>>>>> /var/run/argus.dna0.0.pid
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.726651 ArgusCalloc (1, 4237776) returning 0x7f1ddd6da010
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.726670 ArgusCalloc (1, 152) returning 0x1535090
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.726684 ArgusNewList () returning 0x1535090
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.726704 ArgusCloneSource(0x7f1dde6f4010) returning
>>>>> 0x7f1ddd6da010
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.726733 clearArgusDevice(0x7f1ddd6da010) returning
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.726757 ArgusPushBackList (0x1535090, 0x1535020, 1) returning
>>>>>1
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.747151 ArgusOpenInterface() pcap_open_live(dna0) returned
>>>>> 0x15de4f0
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.754761 Arguslookup_pcap_callback(1) returning 0x412896
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.754790 ArgusOpenInterface(0x7f1ddd6da010, 'dna0') returning
>>>>>1
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.754807 ArgusPushBackList (0x1535090, 0x1535020, 1) returning
>>>>>1
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.754945 ArgusCalloc (1, 525016) returning 0x7f1ddd3bd010
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.755740 ArgusCalloc (1, 64) returning 0x15e1800
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.755778 ArgusCalloc (65536, 8) returning 0x7f1ddd33c010
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.755793 ArgusNewHashTable (65536) returning 0x15e1800
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.755807 ArgusCalloc (1, 104) returning 0x15e1850
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.755820 ArgusCalloc (1, 152) returning 0x15e18c0
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.755834 ArgusNewQueue () returning 0x15e18c0
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.755847 ArgusCalloc (1, 152) returning 0x15e1960
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.755859 ArgusNewQueue () returning 0x15e1960
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.755871 ArgusCalloc (1, 112) returning 0x15e1a00
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.755934 ArgusCalloc (1, 40) returning 0x15e1a80
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.755958 ArgusCalloc (1, 80) returning 0x15e1ab0
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.755982 ArgusCalloc (1, 1096) returning 0x15e1b10
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756011 ArgusCalloc (1, 1096) returning 0x15e1f60
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756038 ArgusCalloc (1, 1096) returning 0x15e23b0
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756066 ArgusCalloc (1, 1096) returning 0x15e2800
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756094 ArgusCalloc (1, 1096) returning 0x15e2c50
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756113 ArgusCalloc (1, 1096) returning 0x15e30a0
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756126 ArgusCalloc (1, 1096) returning 0x15e34f0
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756146 ArgusCalloc (1, 1096) returning 0x15e3940
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756167 ArgusCalloc (1, 1096) returning 0x15e3d90
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756195 ArgusCalloc (1, 1096) returning 0x15e41e0
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756219 ArgusCalloc (1, 1096) returning 0x15e4630
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756243 ArgusCalloc (1, 1096) returning 0x15e4a80
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756276 ArgusCalloc (1, 1096) returning 0x15e4ed0
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756301 ArgusCalloc (1, 1096) returning 0x15e5320
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756319 ArgusCalloc (1, 1096) returning 0x15e5770
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756334 ArgusCalloc (1, 1096) returning 0x15e5bc0
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756358 ArgusCalloc (1, 1096) returning 0x15e6010
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756384 ArgusCalloc (1, 1096) returning 0x15e6460
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756412 ArgusCalloc (1, 1096) returning 0x15e68b0
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756427 ArgusCalloc (1, 1096) returning 0x15e6d00
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756447 ArgusInitMallocList (1048) returning
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756469 ArgusInitModeler(0x7f1ddd3bd010) done
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756501 ArgusInitSource(0x7f1ddd6da010) returning 1
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756655 ArgusGetPackets (0x7f1ddd6da010) starting
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756747 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>returning
>>>>> 0xa23
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.756810 setArgusInterfaceStatus(0x7f1ddd6da010, 1)
>>>>> Mar 31 02:13:45 argus argus[2593]: 31 Mar 14 02:13:45.756854
>>>>> ArgusGetInterfaceStatus: interface dna0 is up
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.757200 ArgusGetPackets: interface dna0 is selectable
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.757233 setArgusInterfaceStatus(0x7f1ddd6da010, 1)
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.826041 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.826082 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.826097 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.826110 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.826122 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.926225 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.926264 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.926279 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.926292 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.926305 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.957631 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>>>> 1396250025.957628 update 1396250026.157628 returning 1
>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:45.957676 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>returning
>>>>> 0xa23
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.026405 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.026445 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.026460 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.026472 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.026485 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.126605 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.126644 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.126659 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.126671 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.126684 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.158386 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>>>> 1396250026.158385 update 1396250026.357628 returning 1
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.158427 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>returning
>>>>> 0xa23
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.226786 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.226825 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.226843 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.226862 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.226896 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.327003 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.327042 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.327056 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.327069 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.327081 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.359104 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>>>> 1396250026.359103 update 1396250026.557628 returning 1
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.359145 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>returning
>>>>> 0xa23
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.427189 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.427229 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.427243 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.427256 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.427268 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.527381 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.527420 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.527434 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.527447 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.527459 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.559826 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>>>> 1396250026.559825 update 1396250026.757628 returning 1
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.559880 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>returning
>>>>> 0xa23
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.627571 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.627610 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.627625 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.627638 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.627652 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.727765 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.727804 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.727819 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.727836 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.727849 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.760559 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>>>> 1396250026.760557 update 1396250026.957628 returning 1
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.760600 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>returning
>>>>> 0xa23
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.827946 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.827985 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.828000 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.828013 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.828026 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.928138 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.928177 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.928192 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.928205 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.928217 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.961354 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>>>> 1396250026.961353 update 1396250027.157628 returning 1
>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:46.961398 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>returning
>>>>> 0xa23
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.028316 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.028355 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.028370 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.028383 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.028395 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.128499 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.128538 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.128553 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.128568 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.128580 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.162074 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>>>> 1396250027.162073 update 1396250027.357628 returning 1
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.162115 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>returning
>>>>> 0xa23
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.228679 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.228718 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.228737 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.228750 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.228762 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.328888 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.328927 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.328942 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.328955 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.328968 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.362797 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>>>> 1396250027.362795 update 1396250027.557628 returning 1
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.362837 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>returning
>>>>> 0xa23
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.429068 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.429107 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.429122 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.429135 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.429147 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.529254 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.529293 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.529307 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.529320 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.529333 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.563527 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>>>> 1396250027.563526 update 1396250027.757628 returning 1
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.563569 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>returning
>>>>> 0xa23
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.629436 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.629475 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.629489 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.629502 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.629515 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.729622 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.729662 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.729676 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.729689 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.729702 ArgusOutputProcess() waiting for input list
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.764263 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>>>> 1396250027.764262 update 1396250027.957628 returning 1
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.764304 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>returning
>>>>> 0xa23
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.829810 ArgusOutputStatusTime(0x15340f0) done
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.829849 ArgusOutputProcess() checking out clients
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.829863 ArgusOutputProcess() done with clients
>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>Mar
>>>>> 14
>>>>> 02:13:47.829890 ArgusOutputProcess() looping
>>>>> Mar 31 02:13:47 argus rsyslogd-2177: imuxsock begins to drop
>>>>>messages
>>>>> from
>>>>> pid 2593 due to rate-limiting
>>>>> Mar 31 02:13:51 argus rsyslogd-2177: imuxsock lost 188 messages from
>>>>>pid
>>>>> 2593 due to rate-limiting
>>>>>
>>>>>
>>>>>
>>>>> Then everything after "ArgusGetPackets: interface dna0 is selectable"
>>>>> repeats over and over again.
>>>>>
>>>>> Not sure if this confirms or refutes your previous statement.
>>>>>
>>>>> -Jeff
>>>>>
>>>>> On 3/30/14, 12:14 PM, "Carter Bullard" <carter at qosient.com> wrote:
>>>>>
>>>>>> Jeffrey,
>>>>>> Did you create the .debug file in the argus home directory ?? This
>>>>>> turns
>>>>>> on
>>>>>> debug information generation. If you didn't do this then:
>>>>>>
>>>>>> % touch .debug
>>>>>> % ./configure;make clean;make
>>>>>>
>>>>>> Seems like a lot of ARGUS_CAPTURE_DATA_LEN ?? I would recommend
>>>>>> something like 128, or 256 ???
>>>>>>
>>>>>> I suspect that the PF_RING stuff doesn't work with select(), and
>>>>>>we're
>>>>>> sitting
>>>>>> on a select() waiting to be notified that a packet is available to
>>>>>> read.
>>>>>> Your
>>>>>> debug information should tell us if it thinks the interface is
>>>>>> selectable
>>>>>> or not.
>>>>>>
>>>>>> Carter
>>>>>>
>>>>>> On Mar 30, 2014, at 12:45 PM, Reynolds, Jeffrey
>>>>>> <JReynolds at utdallas.edu>
>>>>>> wrote:
>>>>>>
>>>>>>> Ok, I've recompiled 3.0.7.5 from unmodified source. I'm running
>>>>>>>with
>>>>>>> the
>>>>>>> following config file options:
>>>>>>>
>>>>>>> ARGUS_FLOW_TYPE="Bidirectional"
>>>>>>> ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
>>>>>>> ARGUS_DAEMON=yes
>>>>>>> ARGUS_INTERFACE=dna0
>>>>>>> ARGUS_OUTPUT_FILE=/var/data/argus-out
>>>>>>> ARGUS_SET_PID=yes
>>>>>>> ARGUS_PID_PATH="/var/run"
>>>>>>> ARGUS_FLOW_STATUS_INTERVAL=5
>>>>>>> ARGUS_MAR_STATUS_INTERVAL=60
>>>>>>> ARGUS_DEBUG_LEVEL=8
>>>>>>> ARGUS_GENERATE_RESPONSE_TIME_DATA=yes
>>>>>>> ARGUS_GENERATE_MAC_DATA=yes
>>>>>>> ARGUS_CAPTURE_DATA_LEN=1500
>>>>>>>
>>>>>>>
>>>>>>> After running:
>>>>>>>
>>>>>>> argus -F argus.conf
>>>>>>>
>>>>>>> I'm still getting 128 byte argus-out files, but I'm not seeing any
>>>>>>> debug
>>>>>>> information. However, /var/log/messages now shows the interface
>>>>>>> coming
>>>>>>> up
>>>>>>> more in line with the what I'd expect:
>>>>>>>
>>>>>>> Mar 30 05:21:29 argus argus[31395]: 30 Mar 14 05:21:29.114830
>>>>>>>started
>>>>>>> Mar 30 05:21:29 argus argus[31395]: 30 Mar 14 05:21:29.130717
>>>>>>>started
>>>>>>> Mar 30 05:21:29 argus argus[31395]: 30 Mar 14 05:21:29.156439
>>>>>>> ArgusGetInterfaceStatus: interface dna0 is up
>>>>>>> Mar 30 05:21:46 argus argus[31395]: 30 Mar 14 05:21:46.418902
>>>>>>>stopped
>>>>>>>
>>>>>>>
>>>>>>> I checked ifconfig, and it claims that dna0 is running in PROMISC
>>>>>>> mode.
>>>>>>> It's strange that I'm not seeing any debug info at the command
>>>>>>>line
>>>>>>> of
>>>>>>> in
>>>>>>> /var/log/messages. I've tried specifying it in the config file
>>>>>>>and
>>>>>>> at
>>>>>>> the
>>>>>>> command line, but I haven't sen any additional output. Perhaps I
>>>>>>> didn't
>>>>>>> have one of the dependencies installed when I ran the configure
>>>>>>> script,
>>>>>>> and something isn't working properly? Also, I see that libpcap
>>>>>>>can
>>>>>>>be
>>>>>>> recompiled with PF_Ring support. Maybe I've missed something
>>>>>>>obvious
>>>>>>> here, but as Argus seems to depend on libpcap, do I need to
>>>>>>>recompile
>>>>>>> it
>>>>>>> with PF_Ring capabilities?
>>>>>>>
>>>>>>> -Jeff
>>>>>>>
>>>>>>> On 3/29/14, 10:00 AM, "Carter Bullard" <carter at qosient.com> wrote:
>>>>>>>
>>>>>>>> Hey Jeffery,
>>>>>>>> Sorry for the delayed response... and thanks Craig for taking
>>>>>>>>the
>>>>>>>> thread
>>>>>>>> !!! The 128 byte records are management records, which are
>>>>>>>> basically
>>>>>>>> keep alive like status messages for down stream readers of data.
>>>>>>>> They
>>>>>>>> indicate that the sensor is alive.
>>>>>>>>
>>>>>>>> But you definately aren't getting any packets from the
>>>>>>>>interfaces.
>>>>>>>>
>>>>>>>> You
>>>>>>>> shouldn't need to modify the source for this to work. I'm pretty
>>>>>>>> sure
>>>>>>>> Craig doesn't modify his. So with a standard release, run argus
>>>>>>>>the
>>>>>>>> way
>>>>>>>> you think you should with the -D8 option, so we can see what is
>>>>>>>>up
>>>>>>>> for
>>>>>>>> 5-10 seconds or so, and send the output to the list.
>>>>>>>>
>>>>>>>> We should see a statement that the interface is up. We need to
>>>>>>>>get
>>>>>>>> that
>>>>>>>> far before we'll try to read packets.
>>>>>>>>
>>>>>>>> Carter
>>>>>>>>
>>>>>>>>
>>>>>>>>> On Mar 28, 2014, at 3:42 PM, "Reynolds, Jeffrey"
>>>>>>>>> <JReynolds at utdallas.edu> wrote:
>>>>>>>>>
>>>>>>>>> Ok, I¹m almost sure there are issues with Argus and the code I¹ve
>>>>>>>>> modified. To rehash, I¹ve changed line grabbed argus-3.0.7.5
>>>>>>>>>and
>>>>>>>>> I¹ve
>>>>>>>>> chagned the following line in argus/ArgusSource.c
>>>>>>>>>
>>>>>>>>> 4331
>>>>>>>>>
>>>>>>>>> - if ((strstr(device->name, "dag")) || (strstr(device->name,
>>>>>>>>> "napa"))) {
>>>>>>>>>
>>>>>>>>> + if (strstr(device->name, "dag") || strstr(device->name, "nap")
>>>>>>>>>||
>>>>>>>>> strstr(device->name, "dna") || (strstr(device->name, "eth") &&
>>>>>>>>> strstr(device->name, "@"))) {
>>>>>>>>>
>>>>>>>>> I¹ve also tried:
>>>>>>>>>
>>>>>>>>> + if ((strstr(device->name, "dag")) || (strstr(device->name,
>>>>>>>>> "nap"))
>>>>>>>>> ||
>>>>>>>>> (strstr(device->name, "dna")) || (strstr(device->name, "eth") &&
>>>>>>>>> strstr(device->name, "@"))) {
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> As I wasn¹t sure if the paren the strstr statements had to be
>>>>>>>>> enclosed
>>>>>>>>> in
>>>>>>>>> their own set of parens. Anyway, in both instances, I¹ll try to
>>>>>>>>>run
>>>>>>>>> Argus
>>>>>>>>> and wind up with a 128 byte file. For example:
>>>>>>>>>
>>>>>>>>> $ argus -i dna0 -w /var/data/argus-out -s 1500
>>>>>>>>> (wait about 20 seconds)
>>>>>>>>> $ ls -l /var/data
>>>>>>>>> -rw-r--r--. 1 argus argus 128 Mar 28 07:46 argus-out
>>>>>>>>>
>>>>>>>>> When I run with the vanilla drivers, and my interface is not
>>>>>>>>>³dna0²
>>>>>>>>> but
>>>>>>>>> ³em1², then I get better results.
>>>>>>>>>
>>>>>>>>> # rmmod ixgbe
>>>>>>>>> # modprobe ixgbe #pulling from /lib/modules/`uname -r`
>>>>>>>>>
>>>>>>>>> $ rm argus-out
>>>>>>>>> rm: remove regular file `argus-out'? y
>>>>>>>>> $ argus -i em1 -w /var/data/argus-out -s 1500
>>>>>>>>> (wait about 20 seconds)
>>>>>>>>> $ ls -l /var/data
>>>>>>>>> -rw-r--r--. 1 argus argus 2392260 Mar 28 07:46 argus-out
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> The real kicker seems to be in /var/log/messages. When running
>>>>>>>>> argus
>>>>>>>>> on
>>>>>>>>> em1 with the original ixgbe driver, I get the following output in
>>>>>>>>> /var/log/messages:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Mar 28 05:14:52 argus argus[23142]: 28 Mar 14 05:14:52.865660
>>>>>>>>> started
>>>>>>>>> Mar 28 05:14:52 argus argus[23142]: 28 Mar 14 05:14:52.882755
>>>>>>>>> started
>>>>>>>>> Mar 28 05:14:52 argus kernel: device em1 entered promiscuous mode
>>>>>>>>> Mar 28 05:14:52 argus argus[23142]: 28 Mar 14 05:14:52.932220
>>>>>>>>> ArgusGetInterfaceStatus: interface em1 is up
>>>>>>>>> Mar 28 05:15:18 argus argus[23142]: 28 Mar 14 05:15:18.812342
>>>>>>>>> stopped
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> However, when running with the DNA driver, the output is as
>>>>>>>>>follows:
>>>>>>>>>
>>>>>>>>> Mar 28 08:33:16 argus argus[23915]: 28 Mar 14 08:33:16.967530
>>>>>>>>> started
>>>>>>>>> Mar 28 08:33:16 argus argus[23915]: 28 Mar 14 08:33:16.985055
>>>>>>>>> started
>>>>>>>>> Mar 28 08:33:50 argus argus[23915]: 28 Mar 14 08:33:50.667199
>>>>>>>>> stopped
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Now the interface is in promiscuous mode, I can see the change in
>>>>>>>>> received
>>>>>>>>> packets rising considerably by just running ifconfig a few
>>>>>>>>>times.
>>>>>>>>> I
>>>>>>>>> think
>>>>>>>>> that for whatever reason, the function in Argus that outputs the
>>>>>>>>> ³ArgusGetInterfaceStatus² line isn¹t correctly interpreting dna0
>>>>>>>>>as
>>>>>>>>> an
>>>>>>>>> appropriate interface.
>>>>>>>>>
>>>>>>>>> Does any of this sound remotely possible?
>>>>>>>>>
>>>>>>>>> -Jeff
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> On 3/27/14, 7:23 PM, "Craig Merchant" <cmerchant at responsys.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> Hey, Jeffrey...
>>>>>>>>>>
>>>>>>>>>> The configuration questions for the pf_ring and ixgbe drivers
>>>>>>>>>>may
>>>>>>>>>> be
>>>>>>>>>> better answered on the ntop forums... But I'll do my best.
>>>>>>>>>>Here
>>>>>>>>>> is
>>>>>>>>>> how
>>>>>>>>>> I load the drivers:
>>>>>>>>>>
>>>>>>>>>> insmod /lib/modules/2.6.32-220.el6.x86_64/updates/pf_ring.ko
>>>>>>>>>> /sbin/modprobe ixgbe MQ=0,0 RSS=1,1 num_rx_slots=32768
>>>>>>>>>>
>>>>>>>>>> ifconfig dna0 up promisc
>>>>>>>>>> ethtool -K dna0 tso off
>>>>>>>>>> ethtool -K dna0 gro off
>>>>>>>>>> ethtool -K dna0 lro off
>>>>>>>>>> ethtool -K dna0 gso off
>>>>>>>>>> ethtool -G dna0 tx 32768
>>>>>>>>>> ethtool -G dna0 rx 32768
>>>>>>>>>>
>>>>>>>>>> One thing I'm not clear on from your config is why you are using
>>>>>>>>>> pfdnacluster_master at all... That daemon is designed to split
>>>>>>>>>>up
>>>>>>>>>> flows
>>>>>>>>>> and/or make copies of them to distribute to other applications.
>>>>>>>>>>
>>>>>>>>>>I
>>>>>>>>>> don't
>>>>>>>>>> think it's meant to aggregate two interfaces into one stream.
>>>>>>>>>> Normally
>>>>>>>>>> it's run with a -n parameter to tell it how many queues you want
>>>>>>>>>> traffic
>>>>>>>>>> divided up into. We use:
>>>>>>>>>>
>>>>>>>>>> pfdnacluster_master -d -c 10 -n 28,1 -m 0 -i dna0
>>>>>>>>>>
>>>>>>>>>> In this case, -n says "divide up one copy of the traffic into 28
>>>>>>>>>> queues"
>>>>>>>>>> and "create one copy of all the traffic on the last queue".
>>>>>>>>>>The
>>>>>>>>>> apps
>>>>>>>>>> accessing the first 28 queues (Snort) would connect to
>>>>>>>>>> dnacluster:10 at 0
>>>>>>>>>> -
>>>>>>>>>> dnacluster:10 at 27. Argus connects to dnacluster:10 at 28 and
>>>>>>>>>>would
>>>>>>>>>> see
>>>>>>>>>> a
>>>>>>>>>> copy of all of the traffic.
>>>>>>>>>>
>>>>>>>>>> If all you are looking to do is combine traffic from two
>>>>>>>>>>interfaces
>>>>>>>>>> into
>>>>>>>>>> one, why not just run argus with -i dna0,dna1?
>>>>>>>>>>
>>>>>>>>>> For testing, I would try the following to see where you might
>>>>>>>>>>be
>>>>>>>>>> having
>>>>>>>>>> problems:
>>>>>>>>>>
>>>>>>>>>> pfcount -i dna0
>>>>>>>>>> pfcount -i dna1
>>>>>>>>>> pfcount -i dna0,dna1
>>>>>>>>>> pfcount -i dnacluster:10
>>>>>>>>>> pfcount -i dnacluster:10 at 0
>>>>>>>>>>
>>>>>>>>>> Let me know if that helps...
>>>>>>>>>>
>>>>>>>>>> Craig
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -----Original Message-----
>>>>>>>>>> From: Reynolds, Jeffrey [mailto:JReynolds at utdallas.edu]
>>>>>>>>>> Sent: Thursday, March 27, 2014 3:18 PM
>>>>>>>>>> To: Craig Merchant; Carter Bullard
>>>>>>>>>> Cc: Argus
>>>>>>>>>> Subject: Re: [ARGUS] Multi-Instanced Argus
>>>>>>>>>>
>>>>>>>>>> So I understand this is from a while ago, but here is what I
>>>>>>>>>>have.
>>>>>>>>>> Craig, maybe you can show me how I'm doing it wrong.
>>>>>>>>>>
>>>>>>>>>> I finally got PF_Ring and libzero licensed correctly so that
>>>>>>>>>> pfdnacluster
>>>>>>>>>> isn't limited to 5 minutes of capture. I downloaded the Argus
>>>>>>>>>> source,
>>>>>>>>>> installed the dependencies, and compiled after making the
>>>>>>>>>>change
>>>>>>>>>> you
>>>>>>>>>> noted below. However, I don't seem to be properly attaching
>>>>>>>>>>argus
>>>>>>>>>> to
>>>>>>>>>> my
>>>>>>>>>> devices to allow it to capture. I have a feeling its something
>>>>>>>>>>to
>>>>>>>>>> do
>>>>>>>>>> with my PF_Ring or dna-ixgbe conf files. We have two
>>>>>>>>>>interfaces
>>>>>>>>>>to
>>>>>>>>>> monitor, which I've previously combined into one by using
>>>>>>>>>> pfdnacluster_master. However, it looks like I can't get Argus
>>>>>>>>>>to
>>>>>>>>>> hook
>>>>>>>>>> into that or a single dan interface. Anyway, after make
>>>>>>>>>> installing,
>>>>>>>>>> I
>>>>>>>>>> run the following command with the following result:
>>>>>>>>>>
>>>>>>>>>> #pfdnacluster_master -i dna0,dna1 -c 10
>>>>>>>>>> #argus -i dnacluster:10 -s 1500 -w /var/data/argus-out
>>>>>>>>>>
>>>>>>>>>> My /var/log/messages says that the specified interface doesn't
>>>>>>>>>> exist,
>>>>>>>>>> which I kind of expected.
>>>>>>>>>> So I tried this (without pfdnacluster running):
>>>>>>>>>>
>>>>>>>>>> #argus -i dna0 -s 1500 -w /var/data/argus-out
>>>>>>>>>>
>>>>>>>>>> This time argus appears to have started, but my output file is
>>>>>>>>>>not
>>>>>>>>>> growing (it initial starts at 128 bytes and increases by that
>>>>>>>>>>same
>>>>>>>>>> amount
>>>>>>>>>> every 30 seconds or so).
>>>>>>>>>>
>>>>>>>>>> In case this happens to be the parameters I'm loading with my
>>>>>>>>>> kernel
>>>>>>>>>> modules, here they are:
>>>>>>>>>>
>>>>>>>>>> pf_ring.ko transparenet_mode=2
>>>>>>>>>> (I've also tried 0, with similar results) ixgbe.ko RSS=1,1,1,1
>>>>>>>>>>(I
>>>>>>>>>> wasn't
>>>>>>>>>> seeing all of the traffic from my interfaces with the default
>>>>>>>>>> config,
>>>>>>>>>> the
>>>>>>>>>> ntop folks recommended this, I need to dig further into the
>>>>>>>>>>docs
>>>>>>>>>>to
>>>>>>>>>> learn
>>>>>>>>>> more about these parameters).
>>>>>>>>>>
>>>>>>>>>> To answer your original question, I'm only monitoring about
>>>>>>>>>>~2Gbps,
>>>>>>>>>> significantly less then you are. I'm not sure if what I've
>>>>>>>>>>noticed
>>>>>>>>>> would
>>>>>>>>>> be considered "gaps", but we do see exchanges where the server
>>>>>>>>>> appears
>>>>>>>>>> to
>>>>>>>>>> initiate conversations by sending a response to a client, which
>>>>>>>>>>the
>>>>>>>>>> client doesn't appear to have requested. I'm guess the missing
>>>>>>>>>> request
>>>>>>>>>> was most likely a packet that didn't get captured.
>>>>>>>>>>
>>>>>>>>>> Any configuration suggestions would be much appreciated.
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>>
>>>>>>>>>> Jeff
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> From: Craig Merchant
>>>>>>>>>> <cmerchant at responsys.com<mailto:cmerchant at responsys.com>>
>>>>>>>>>> Date: Wednesday, March 12, 2014 at 6:39 PM
>>>>>>>>>> To: Carter Bullard
>>>>>>>>>><carter at qosient.com<mailto:carter at qosient.com>>,
>>>>>>>>>> Jeff
>>>>>>>>>> Reynolds <jjr140030 at utdallas.edu<mailto:jjr140030 at utdallas.edu>>
>>>>>>>>>> Cc: Argus
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>><argus-info at lists.andrew.cmu.edu<mailto:argus-info at lists.andrew.c
>>>>>>>>>>m
>>>>>>>>>>u.
>>>>>>>>>> ed
>>>>>>>>>> u>
>>>>>>>>>>>
>>>>>>>>>> Subject: RE: [ARGUS] Multi-Instanced Argus
>>>>>>>>>>
>>>>>>>>>> We're running Argus and Snort of PF_RING's DNA/Libzero drivers.
>>>>>>>>>>
>>>>>>>>>>We
>>>>>>>>>> decided to use Libzero because the standard DNA drivers limit
>>>>>>>>>>the
>>>>>>>>>> number
>>>>>>>>>> of memory "queues" containing network traffic to 16. Each
>>>>>>>>>>queue
>>>>>>>>>> can
>>>>>>>>>> only
>>>>>>>>>> be accessed by a single process and our sensors have 32 cores,
>>>>>>>>>>so
>>>>>>>>>> we
>>>>>>>>>> wouldn't be able to run the maximum number of Snort instances
>>>>>>>>>> without
>>>>>>>>>> it.
>>>>>>>>>>
>>>>>>>>>> We use the pfdnaclustermaster app to spread flows across 28
>>>>>>>>>>queues
>>>>>>>>>> for
>>>>>>>>>> snort and also maintain a copy of all flows in a queue for
>>>>>>>>>>Argus.
>>>>>>>>>>
>>>>>>>>>> To get it to work, all I had to do was make a slight edit to
>>>>>>>>>> ArgusSource.c so that Argus would recognize DNA/Libzero queues
>>>>>>>>>>as a
>>>>>>>>>> valid
>>>>>>>>>> interface.
>>>>>>>>>>
>>>>>>>>>> Somewhere around line 4191 (for argus 3.0.7):
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> - if ((strstr(device->name, "dag")) || (strstr(device->name,
>>>>>>>>>> "napa"))) {
>>>>>>>>>>
>>>>>>>>>> + if (strstr(device->name, "dag") || strstr(device->name,
>>>>>>>>>>"nap")
>>>>>>>>>>||
>>>>>>>>>> + strstr(device->name, "dna") || (strstr(device->name, "eth") &&
>>>>>>>>>> + strstr(device->name, "@"))) {
>>>>>>>>>>
>>>>>>>>>> Our data centers do around 4-8 Gbps 24/7. From what I recall,
>>>>>>>>>> there
>>>>>>>>>> is
>>>>>>>>>> (or was) a bug in PF_RING that caused Argus to run at 100% all
>>>>>>>>>>of
>>>>>>>>>> the
>>>>>>>>>> time, but in my experience Argus wasn't having problems keeping
>>>>>>>>>>up
>>>>>>>>>> with
>>>>>>>>>> our volume of data. We did see an unusually high number of
>>>>>>>>>>flows
>>>>>>>>>> that
>>>>>>>>>> Argus couldn't determine the direction of, but we weren't
>>>>>>>>>>seeing
>>>>>>>>>> gaps
>>>>>>>>>> in
>>>>>>>>>> the packets or anything else to suggest that Argus couldn't
>>>>>>>>>>handle
>>>>>>>>>> the
>>>>>>>>>> volume.
>>>>>>>>>>
>>>>>>>>>> How much traffic are you sending at Argus? Have you tried
>>>>>>>>>> searching
>>>>>>>>>> your
>>>>>>>>>> Argus records for flows that have gaps in them? That would be
>>>>>>>>>>a
>>>>>>>>>> pretty
>>>>>>>>>> good indicator that Argus may have trouble keeping up. Or that
>>>>>>>>>> your
>>>>>>>>>> SPAN
>>>>>>>>>> port can't handle the load...
>>>>>>>>>>
>>>>>>>>>> Thx.
>>>>>>>>>>
>>>>>>>>>> Craig
>>>>>>>>>>
>>>>>>>>>> From:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>argus-info-bounces+cmerchant=responsys.com at lists.andrew.cmu.edu<m
>>>>>>>>>>a
>>>>>>>>>>il
>>>>>>>>>> to
>>>>>>>>>> :a
>>>>>>>>>> rg
>>>>>>>>>> us-info-bounces+cmerchant=responsys.com at lists.andrew.cmu.edu>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>[mailto:argus-info-bounces+cmerchant=responsys.com at lists.andrew.c
>>>>>>>>>>m
>>>>>>>>>>u.
>>>>>>>>>> ed
>>>>>>>>>> u]
>>>>>>>>>> On Behalf Of Carter Bullard
>>>>>>>>>> Sent: Wednesday, March 12, 2014 1:57 PM
>>>>>>>>>> To: Reynolds, Jeffrey
>>>>>>>>>> Cc: Argus
>>>>>>>>>> Subject: Re: [ARGUS] Multi-Instanced Argus
>>>>>>>>>>
>>>>>>>>>> Hey Jeffery,
>>>>>>>>>> Good so far. This seem like the link for accelerating snort
>>>>>>>>>>with
>>>>>>>>>> PF_RING DNA ??
>>>>>>>>>> http://www.ntop.org/pf_ring/accelerating-snort-with-pf_ring-dna/
>>>>>>>>>>
>>>>>>>>>> I'm interested in the symmetric RSS and if it works properly.
>>>>>>>>>> Are you running the PF_RING DNA DAQ ????
>>>>>>>>>>
>>>>>>>>>> It would seem that we'll have to modify argus to use this
>>>>>>>>>>facility
>>>>>>>>>> ???
>>>>>>>>>>
>>>>>>>>>> Carter
>>>>>>>>>>
>>>>>>>>>> On Mar 12, 2014, at 3:26 PM, Reynolds, Jeffrey
>>>>>>>>>> <JReynolds at utdallas.edu<mailto:JReynolds at utdallas.edu>> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> First, before we dive into to it too deep, how is the
>>>>>>>>>>performance
>>>>>>>>>> ??
>>>>>>>>>>
>>>>>>>>>> This actually seems like a great place to start. Before
>>>>>>>>>>getting
>>>>>>>>>> too
>>>>>>>>>> heavy into PF_RING integration, maybe I should offer a bit of
>>>>>>>>>> backstory.
>>>>>>>>>> Our main goal is just to archive traffic. We have a server
>>>>>>>>>>running
>>>>>>>>>> CentOS 6 that receives traffic from two SPAN ports. The only
>>>>>>>>>> thing
>>>>>>>>>> we
>>>>>>>>>> want to accomplish is to maintain a copy of that traffic for
>>>>>>>>>>some
>>>>>>>>>> period
>>>>>>>>>> of time. Argus was used because it seemed to be the best tool
>>>>>>>>>>for
>>>>>>>>>> the
>>>>>>>>>> price, and it comes with a lot of great features that while we
>>>>>>>>>>may
>>>>>>>>>> not
>>>>>>>>>> use now, we may use later (again, for right now all we want is
>>>>>>>>>>a
>>>>>>>>>> copy
>>>>>>>>>> of
>>>>>>>>>> the traffic to be able to perform forensics on).
>>>>>>>>>>
>>>>>>>>>> Now, I put up a single instance of Argus and pointed it at the
>>>>>>>>>> interface
>>>>>>>>>> that was the master of our two bonded physical NICs (eth0 and
>>>>>>>>>>eth1
>>>>>>>>>> are
>>>>>>>>>> bonded to bond0). I let it run for an hour to get some
>>>>>>>>>>preliminary
>>>>>>>>>> numbers. I ran an recount against my output file and got the
>>>>>>>>>> following
>>>>>>>>>> stats:
>>>>>>>>>>
>>>>>>>>>> racount -t 2014y3m12d05h -r argus-out
>>>>>>>>>> racount records total_pkts src_pkts dst_pkts total_bytes
>>>>>>>>>>src_bytes
>>>>>>>>>> dst_bytes sum 14236180 187526800 98831765 88695035 212079839908
>>>>>>>>>> 102889789820 109190050088
>>>>>>>>>>
>>>>>>>>>> However, the switch the switch sending that traffic reported
>>>>>>>>>>that
>>>>>>>>>> it
>>>>>>>>>> had
>>>>>>>>>> sent a total of 421,978,297 packets to both interfaces, and a
>>>>>>>>>> total
>>>>>>>>>> of
>>>>>>>>>> 371,307,051,815 bytes for that time frame. I could be
>>>>>>>>>>interpreting
>>>>>>>>>> something incorrectly, so maybe the best first thing for me to
>>>>>>>>>> confirm
>>>>>>>>>> is
>>>>>>>>>> that we are in fact losing a lot of traffic. But it seems that
>>>>>>>>>>a
>>>>>>>>>> single
>>>>>>>>>> argus instance can't keep up with the traffic. I've seen this
>>>>>>>>>> happen
>>>>>>>>>> with Snort, and our solution was to plug Snort into PF_RING to
>>>>>>>>>> allow
>>>>>>>>>> the
>>>>>>>>>> traffic to be intelligently forwarded via the Snort Data
>>>>>>>>>> Acquisition
>>>>>>>>>> Library (DAQ). From the perspective of someone who hasn't had
>>>>>>>>>>a
>>>>>>>>>> lot
>>>>>>>>>> of
>>>>>>>>>> exposure to this level of hardware configuration, it was
>>>>>>>>>>relatively
>>>>>>>>>> easy
>>>>>>>>>> to plug the configuration parameters in at the Snort command
>>>>>>>>>>line
>>>>>>>>>> to
>>>>>>>>>> have
>>>>>>>>>> them all point at the same traffic source so that each
>>>>>>>>>>individual
>>>>>>>>>> process
>>>>>>>>>> didn't run through the same traffic. My hope was that there
>>>>>>>>>>might
>>>>>>>>>> just
>>>>>>>>>> be some parameters to set within the argus.conf file which
>>>>>>>>>>would
>>>>>>>>>> tell
>>>>>>>>>> each process to pull from a single PF_RING source. However, it
>>>>>>>>>> looks
>>>>>>>>>> like this might not be as easy as I had once thought.
>>>>>>>>>>
>>>>>>>>>> Am I on the right track or does this make even a little sense?
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>>
>>>>>>>>>> Jeff
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> From: Carter Bullard
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>><carter at qosient.com<mailto:carter at qosient.com><mailto:carter at qosi
>>>>>>>>>>e
>>>>>>>>>>nt
>>>>>>>>>> .c
>>>>>>>>>> om
>>>>>>>>>>>>
>>>>>>>>>> Date: Wednesday, March 12, 2014 at 9:54 AM
>>>>>>>>>> To: "Reynolds, Jeffrey"
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>><JReynolds at utdallas.edu<mailto:JReynolds at utdallas.edu><mailto:JRe
>>>>>>>>>>y
>>>>>>>>>>no
>>>>>>>>>> ld
>>>>>>>>>> s@
>>>>>>>>>> ut
>>>>>>>>>> dallas.edu>>
>>>>>>>>>> Cc: Argus
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>><argus-info at lists.andrew.cmu.edu<mailto:argus-info at lists.andrew.c
>>>>>>>>>>m
>>>>>>>>>>u.
>>>>>>>>>> ed
>>>>>>>>>> u>
>>>>>>>>>> <m
>>>>>>>>>> ailto:argus-info at lists.andrew.cmu.edu>>
>>>>>>>>>> Subject: Re: [ARGUS] Multi-Instanced Argus
>>>>>>>>>>
>>>>>>>>>> Hey Jeffrey,
>>>>>>>>>> I am very interested in this approach, but I have no experience
>>>>>>>>>> with
>>>>>>>>>> this
>>>>>>>>>> PF_RING feature, so I'll have to give you the "design response".
>>>>>>>>>> Hopefully, we can get this to where its doing exactly what
>>>>>>>>>>anyone
>>>>>>>>>> would
>>>>>>>>>> want it to do, and get us a really fast argus, on the cheap.
>>>>>>>>>>
>>>>>>>>>> First, before we dive into to it too deep, how is the
>>>>>>>>>>performance
>>>>>>>>>> ??
>>>>>>>>>> Are
>>>>>>>>>> you getting bi-directional flows out of this scheme ?? Are you
>>>>>>>>>> seeing
>>>>>>>>>> all the traffic ??? If so, then congratulations !!! If the
>>>>>>>>>> performance
>>>>>>>>>> is good, your seeing all the traffic, but you're only getting
>>>>>>>>>> uni-directional flows, then we may have some work to do, but
>>>>>>>>>>still
>>>>>>>>>> congratulations !!! If you're not getting all the traffic then
>>>>>>>>>>we
>>>>>>>>>> have
>>>>>>>>>> some real work to do, as one of the purposes of argus is to
>>>>>>>>>> monitor
>>>>>>>>>> all
>>>>>>>>>> the traffic.
>>>>>>>>>>
>>>>>>>>>> OK, so my understanding is that the PF_RING can do some packet
>>>>>>>>>> routing
>>>>>>>>>> to
>>>>>>>>>> a non-overlapping set of tap interfaces. Routing is based on
>>>>>>>>>>some
>>>>>>>>>> classification scheme, designed to make this usable. The
>>>>>>>>>>purpose
>>>>>>>>>> is
>>>>>>>>>> to
>>>>>>>>>> provide coarse grain parallelism for packet processing. The
>>>>>>>>>>idea,
>>>>>>>>>> as
>>>>>>>>>> much as I can tell, is to prevent multiple readers from having
>>>>>>>>>>to
>>>>>>>>>> read
>>>>>>>>>> from the same queue; eliminating locking issues, which kills
>>>>>>>>>> performance
>>>>>>>>>> etc...
>>>>>>>>>>
>>>>>>>>>> So, I'm not sure what you mean by "pulling from the same
>>>>>>>>>>queue".
>>>>>>>>>>
>>>>>>>>>> If
>>>>>>>>>> you
>>>>>>>>>> do have multiple argi reading the same packet, you will end up
>>>>>>>>>> counting a
>>>>>>>>>> single packet multiple times. Not a terrible thing, but not
>>>>>>>>>> recommended.
>>>>>>>>>> Its not that you're creating multiple observation domains using
>>>>>>>>>> this
>>>>>>>>>> PF_RING technique. You're really splitting a single packet
>>>>>>>>>> observation
>>>>>>>>>> domain into a multi-sensor facility ... eventually you will
>>>>>>>>>>want
>>>>>>>>>>to
>>>>>>>>>> combine the total argus output into a single output stream, that
>>>>>>>>>> represents the single packet observation domain. At least that
>>>>>>>>>>is
>>>>>>>>>> my
>>>>>>>>>> thinking, and I would recommend that you use radium to connect
>>>>>>>>>>to
>>>>>>>>>> all
>>>>>>>>>> of
>>>>>>>>>> your argus instances, rather than writing the argus output to a
>>>>>>>>>> set
>>>>>>>>>> of
>>>>>>>>>> files. Radium will generate a single argus data output stream,
>>>>>>>>>> representing the argus data from the single observation domain.
>>>>>>>>>>
>>>>>>>>>> The design issue of using the PF_RING function is "how is
>>>>>>>>>>PF_RING
>>>>>>>>>> classifying packets to do the routing?".
>>>>>>>>>> We would like for it to send packets that belong to the same
>>>>>>>>>> bi-directional flow to the same virtual interface, so argus can
>>>>>>>>>>do
>>>>>>>>>> its
>>>>>>>>>> bi-directional thing. PF_RING claims that you can provide your
>>>>>>>>>>own
>>>>>>>>>> classifier logic, which we can do to make this happen. We have
>>>>>>>>>>a
>>>>>>>>>> pretty
>>>>>>>>>> fast bidirectional hashing scheme which we can try out.
>>>>>>>>>>
>>>>>>>>>> We have a number of people that are using netmap instead of
>>>>>>>>>> PF_RING.
>>>>>>>>>> My
>>>>>>>>>> understanding is that it also has this same type of feature.
>>>>>>>>>>If
>>>>>>>>>> we
>>>>>>>>>> can
>>>>>>>>>> get some people talking about that, that would help a bit.
>>>>>>>>>>
>>>>>>>>>> Carter
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Mar 12, 2014, at 1:03 AM, Reynolds, Jeffrey
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>><JReynolds at utdallas.edu<mailto:JReynolds at utdallas.edu><mailto:JRe
>>>>>>>>>>y
>>>>>>>>>>no
>>>>>>>>>> ld
>>>>>>>>>> s@
>>>>>>>>>> ut
>>>>>>>>>> dallas.edu>> wrote:
>>>>>>>>>>
>>>>>>>>>> Howdy All,
>>>>>>>>>>
>>>>>>>>>> So after forever and a day, I've finally found time to start
>>>>>>>>>> working
>>>>>>>>>> on
>>>>>>>>>> my multi-instanced argus configuration. Here is my setup:
>>>>>>>>>>
>>>>>>>>>> -CentOS 6.5 x64
>>>>>>>>>> -pfring driver compiled from source
>>>>>>>>>> -pfring capable Intel NICs (currently using the ixgbe driver
>>>>>>>>>> version
>>>>>>>>>> 3.15.1-k) (these NICs are in a bonded configuration under a
>>>>>>>>>>device
>>>>>>>>>> named
>>>>>>>>>> bond0)
>>>>>>>>>>
>>>>>>>>>> I've configured my startup script to start 5 instances of
>>>>>>>>>>Argus,
>>>>>>>>>> each
>>>>>>>>>> with there own /etc/argusX.conf file (argus1.conf, argus2.conf,
>>>>>>>>>> etc).
>>>>>>>>>> The start up script correctly assigns the proper pid file to
>>>>>>>>>>each
>>>>>>>>>> instance, and everything starts and stops smoothly. Each
>>>>>>>>>>instance
>>>>>>>>>> is
>>>>>>>>>> writing an output file to /var/argus in the format of
>>>>>>>>>>argusX.out.
>>>>>>>>>> When I
>>>>>>>>>> first tried running my argus instances, I ran them with a
>>>>>>>>>>version
>>>>>>>>>> of
>>>>>>>>>> PF_RING I had installed from an RPM obtained from the ntop repo.
>>>>>>>>>> Things
>>>>>>>>>> didn't seem to work correctly, so I tried again after I had
>>>>>>>>>> compiled
>>>>>>>>>> from
>>>>>>>>>> source. After compiling from source, I got the following
>>>>>>>>>>output
>>>>>>>>>>in
>>>>>>>>>> /var/log/messages when I started argus:
>>>>>>>>>>
>>>>>>>>>> Mar 11 17:48:16 argus kernel: No module found in object Mar 11
>>>>>>>>>> 17:49:16
>>>>>>>>>> argus kernel: [PF_RING] Welcome to PF_RING 5.6.3 ($Revision:
>>>>>>>>>> 7358$)
>>>>>>>>>> Mar
>>>>>>>>>> 11 17:49:16 argus kernel: (C) 2004-14
>>>>>>>>>> ntop.org<http://ntop.org/><http://ntop.org<http://ntop.org/>>
>>>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] registered
>>>>>>>>>> /proc/net/pf_ring/
>>>>>>>>>> Mar
>>>>>>>>>> 11 17:49:16 argus kernel: NET: Registered protocol family 27
>>>>>>>>>>Mar
>>>>>>>>>>11
>>>>>>>>>> 17:49:16 argus kernel: [PF_RING] Min # ring slots 4096
>>>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] Slot version 15
>>>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] Capture TX Yes
>>>>>>>>>> [RX+TX]
>>>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] Transparent Mode 0
>>>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] IP Defragment No
>>>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] Initialized correctly
>>>>>>>>>>Mar
>>>>>>>>>> 11
>>>>>>>>>> 17:49:35 argus kernel: Bluetooth: Core ver 2.15 Mar 11 17:49:35
>>>>>>>>>> argus
>>>>>>>>>> kernel: NET: Registered protocol family 31 Mar 11 17:49:35 argus
>>>>>>>>>> kernel:
>>>>>>>>>> Bluetooth: HCI device and connection manager initialized Mar 11
>>>>>>>>>> 17:49:35
>>>>>>>>>> argus kernel: Bluetooth: HCI socket layer initialized Mar 11
>>>>>>>>>> 17:49:35
>>>>>>>>>> argus kernel: Netfilter messages via NETLINK v0.30.
>>>>>>>>>> Mar 11 17:49:35 argus argus[13918]: 11 Mar 14 17:49:35.643243
>>>>>>>>>> started
>>>>>>>>>> Mar
>>>>>>>>>> 11 17:49:35 argus argus[13918]: 11 Mar 14 17:49:35.693930
>>>>>>>>>>started
>>>>>>>>>> Mar
>>>>>>>>>> 11
>>>>>>>>>> 17:49:35 argus kernel: device bond0 entered promiscuous mode
>>>>>>>>>>Mar
>>>>>>>>>>11
>>>>>>>>>> 17:49:35 argus kernel: device em1 entered promiscuous mode Mar
>>>>>>>>>>11
>>>>>>>>>> 17:49:35 argus kernel: device em2 entered promiscuous mode Mar
>>>>>>>>>>11
>>>>>>>>>> 17:49:35 argus argus[13918]: 11 Mar 14 17:49:35.721490
>>>>>>>>>> ArgusGetInterfaceStatus: interface bond0 is up Mar 11 17:49:36
>>>>>>>>>> argus
>>>>>>>>>> argus[13922]: 11 Mar 14 17:49:36.349202 started Mar 11 17:49:36
>>>>>>>>>> argus
>>>>>>>>>> argus[13922]: 11 Mar 14 17:49:36.364625 started Mar 11 17:49:36
>>>>>>>>>> argus
>>>>>>>>>> argus[13922]: 11 Mar 14 17:49:36.383623 ArgusGetInterfaceStatus:
>>>>>>>>>> interface bond0 is up Mar 11 17:49:37 argus argus[13926]: 11
>>>>>>>>>>Mar
>>>>>>>>>>14
>>>>>>>>>> 17:49:37.045224 started Mar 11 17:49:37 argus argus[13926]: 11
>>>>>>>>>>Mar
>>>>>>>>>> 14
>>>>>>>>>> 17:49:37.060689 started Mar 11 17:49:37 argus argus[13926]: 11
>>>>>>>>>>Mar
>>>>>>>>>> 14
>>>>>>>>>> 17:49:37.079706 ArgusGetInterfaceStatus: interface bond0 is up
>>>>>>>>>>Mar
>>>>>>>>>> 11
>>>>>>>>>> 17:49:37 argus argus[13930]: 11 Mar 14 17:49:37.753278 started
>>>>>>>>>>Mar
>>>>>>>>>> 11
>>>>>>>>>> 17:49:37 argus argus[13930]: 11 Mar 14 17:49:37.768613 started
>>>>>>>>>>Mar
>>>>>>>>>> 11
>>>>>>>>>> 17:49:37 argus argus[13930]: 11 Mar 14 17:49:37.785691
>>>>>>>>>> ArgusGetInterfaceStatus: interface bond0 is up Mar 11 17:49:38
>>>>>>>>>> argus
>>>>>>>>>> argus[13934]: 11 Mar 14 17:49:38.449229 started Mar 11 17:49:38
>>>>>>>>>> argus
>>>>>>>>>> argus[13934]: 11 Mar 14 17:49:38.466365 started Mar 11 17:49:38
>>>>>>>>>> argus
>>>>>>>>>> argus[13934]: 11 Mar 14 17:49:38.485675 ArgusGetInterfaceStatus:
>>>>>>>>>> interface bond0 is up
>>>>>>>>>>
>>>>>>>>>> Aside from the "No module found in object" error, everything
>>>>>>>>>>seems
>>>>>>>>>> like
>>>>>>>>>> its working Ok. The only problem is that I don't seem to have
>>>>>>>>>>my
>>>>>>>>>> argus
>>>>>>>>>> instances configured to pull traffic from the same queue. In
>>>>>>>>>>other
>>>>>>>>>> words, I have five output files from five argus instances with
>>>>>>>>>>like
>>>>>>>>>> traffic in all of them. I haven't made any changes to my argus
>>>>>>>>>> config
>>>>>>>>>> files, aside from telling them to write to different locations
>>>>>>>>>>and
>>>>>>>>>> the
>>>>>>>>>> name of the interface. I know I'm missing something but I'm not
>>>>>>>>>> quite
>>>>>>>>>> sure what it is. If someone might be able to tell me how to
>>>>>>>>>> configure
>>>>>>>>>> these five instances to pull from the same PF_RING queue, I'd
>>>>>>>>>>be
>>>>>>>>>> mighty
>>>>>>>>>> obliged. Let me know if I need to submit any additional
>>>>>>>>>> information.
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>>
>>>>>>>>>> Jeff Reynolds
>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>
More information about the argus
mailing list