Multi-Instanced Argus
Carter Bullard
carter at qosient.com
Thu Apr 17 17:44:14 EDT 2014
Hey Jeff,
The ‘&&” is definitely wrong. With the && your saying that the string has to
match two values at the same time, every time ( A || B || C || D) && E.
Put in “ || “, since you are asking is it any of these strings ?? You
definitely want ( A || B || C || D || E).
Carter
On Apr 17, 2014, at 12:48 PM, Reynolds, Jeffrey <JReynolds at utdallas.edu> wrote:
> Actually, never mind. Just went back nd checked to see that Craig’s
> change was effectually A || B || (C && D). So kinda back to quare one
> with that.
>
> Jeff
>
> On 4/17/14, 11:45 AM, "Reynolds, Jeffrey" <jjr140030 at utdallas.edu> wrote
>
>> The problem is still stuck at not being able to see any packets from the
>> DNA interface.
>>
>> ith the oriinal source, I get deug output stating that the interface is
>> selectable, as well as the output sent
>>
>> When I run with the ource code modification suggested by Craig, (which
>> hasn’t been run in debug mode yet, /var/log/messages fails to report that
>> the interface is being put into promiscuous mode. This in and of itsef
>> doesn’t seem like it would necessarily be a big thing,as the interfaces
>> are already in PROMISC according to fconfig, but still no packets get
>> aptured.
>>
>> When I run with the source code modification where I har code the
>> “notselectable” variale, the output comes back that the interface is not
>> selectable, and still n packets.
>>
>> I have yet to run with the mod that you just sent, bu it might be awhile
>> before I have time to really try that out. I’m a little hesitant to put a
>> lot of fith in it though, as the conditional to
>> …
>> actually, what would the order of operations b there?
>>
>> With (A || B || C && D), would that be true with conditions A, B, or CD;
>> or would that betrue with conditions AD, BD, or CD? If the latter is
>> correct, then the original mod might have been eactly what I needed, with
>> just a little logic tweak. I’ll check it out later.
>>
>> Jeff
>>
>> On 4/14/14, 11:29 AM, "Carter Bullard" <carter at qosient.com> wrote:
>>
>>> Hey Jeff,
>>> So where are we on this problem ???
>>> Its pretty clear thatyou aren’t getting any packets.
>>>
>>> The modification that you tried to the source wasn’t good logic,
>>> with the“&&”, it should be a “||”, of course.
>>>
>>> 4331
>>>
>>> - if ((strstr(device->name, "dag")) || (strstr(device->name, "napa"))) {
>>>
>>> + if (strstr(device->name, "dag") || strstr(device->name, "nap") |
>>> strstr(device->name, "dna") || (strstr(device->name, "eth") &&
>>> strstr(device->nae, "@"))) {
>>>
>>> should be
>>>
>>> + if (strstr(device->name, "dag") || strstr(device->name, "nap") ||
>> strstr(device->name, "da") || (strstr(device->name, "eth") ||
>>> strstr(device->name, "@"))) {
>>>
>>> Still having problems ???
>>>
>>> Carter
>>>
>>> On Apr 2, 2014, at 10:26 M, Reynolds, Jeffrey <JReynolds at utallas.edu>
>>> wrote:
>>>
>>>> Carter,
>>>>
>>>> Thanks fr your response. The #define line is in
>>>> ./include/argus_config.h, line 192. I made he modification you
>>>> suggested, and stillo data is being writte. For sanity’s sake, here
>>>> is
>>>> the change I made:
>>>>
>>>> #Old File
>>>> 3750:#if !defined(CGWIN)
>>> 3751:#if defined(ARGUS_PLURIBUS)
>>>> 3752:int notselectable = 1;
>>>> 3753:#else
>>>> 3754:in notselectable = 0;
>>>> 3755:#endif
>>>> 3756:#endif
>>>>
>>>>
>>>> #New File
>>>> 3750:#if !defined(CYGWIN)
>>>>
>>>> 371:#if defined(ARGUS_PLURIBUS)
>>>> 3752:int notslectable = 1;
>>>> 3753:#else
>>>> 3754:int notselectable = 1;
>>>> 3755:#endif
>>>> 3756:#endi
>>>
>>>>
>>>>
>>>> Checking the output in /var/log/messages, it seems the change made dna0
>>>> not elctable
>>>>
>>>> Apr 2 02:42:20 argus argus[5749]: 02 Apr 14 02:42:20.613894
>>>> ArgusGetInterfceStatus: interface dna0 is up
>>>> Apr 2 02:42:20argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
>>>> 14
>>>> 02:42:20.614645 ArgusGetPackets: interfae dna0 is no selectable
>>>> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f7250947f0000]: 0 Apr
>>>> 14
>>>> 02:42:20.61465 setArgusInterfaceStatus(0x7f4c095fe010, 1)
>>>> Apr 2 02:42:20 argus agus[5749]:argus[5749.00f725094c7f0000]: 02 Apr
>>>> 14
>>>> 02:42:20.614829 ArgusUpdateTime (x7f4c092e1010) global tim
>>>> 1396424540.614715 update 1396424540.814715 returning 1
>>>> pr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
>>>> 14
>>>> 02:42:20.614854 AgusPushFrontList (0xa0f090, 0xa0f020, 1) returning
>>>> 0x1677
>>> Apr 2 02:42:20 argus rgus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
>>>> 14
>>>> 02:42:20.615672 ArgusUpdateTime (0x7f4c092e110) not time
>>>> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
>>>> 14
>>>> 02:42:20.615809 ArgusUpdateTime (0x7f4c092e1010) not time
>>>> Apr 2 02:42:20 argus argus[5749]: args[5749.00f725094c7f0000]: 02 Apr
>>>> 14
>>>> 02:42:20.615940 AgusUpdateTime (0x7f4c092e110) not time
>>>> Apr 2 02:42:20 argus argus[5749]: argus[574900f725094c7f0000]: 02 Apr
>>>> 14
>>> 02:42:20.616070 ArgusUpdateTime (0x7f4c092e1010) not time
>>>> Apr 2 02:42:20 argus argus[5749]: argus5749.00f725094c7f0000]: 02 Apr
>>>> 14
>>>> 02:42:20.616200 ArgusUpdateTime (07f4c092e1010) nt time
>>>> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
>>>> 1
>>>> 02:42:20.616313 ArgusUpdateTime (0x7f4c092e1010) not time
>>>> Apr 2 0242:20 argus argus[5749]: argus[5749.00f72594c7f0000]: 02 Apr
>>>> 14
>>>> 02:42:20.616443 ArgusUpdateTime (0x7f4c092e1010) not time
>>>> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000: 02 Apr
>>>> 14
>>>> 02:42:20.616572 ArgusUpdateTime (0x7f4c092e1010) not time
>>>> Apr 2 02:42:20 argus argus5749]: argus[5749.00f725094c7f0000]: 02 Apr
>>>> 14
>>>> 02:42:20.616705 ArgusUpdateTime (0xf4c092e1010) not time
>>>> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
>>>> 14
>>>> 02:4:20.616834 ArguspdateTime (0x7f4c092e1010) not time
>>>> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]:02 Apr
>>>> 14
>>>> 02:42:20.66963 ArgusUpdateTime (0x7f4c092e1010) not time
>>>> Apr 2 02:4:20 argus argus[5749]: argus5749.00f725094c7f0000]: 02 Apr
>>>> 14
>>>> 02:42:20.617092 ArgusUpdateTime (0x7f4c092e1010) not time
>>>>
>>>>
>>>> What follows are a ton of the ArgusUpdaeTime lines, interspersed with:
>>>>
>>>> Apr 2 02:42:20 argus rsysogd-2177: imuxsock begins to drop messas
>>>> from
>>>> pid 5749 due to rate-limiting
>>>> Apr 2 02:42:26 argus rsyslogd-277: imuxsock lost 43018 messages from
>>>> pid
>>>> 5749 due to rate-limiting
>>>>
>>>>
>>>> And stuff like:
>>>>
>>>> Apr 2 02:42:32 argus argus[5749]: argus[5749.0097400a4c7f0000]: 02 Apr
>>>> 14
>>>> 02:42:32.000755 ArgusOutputProcss() checking out clients
>>>> Apr 2 02:42:32 argus argus[5749]: argus[5749.0097400a4c7f0000]: 02 Apr
>>>> 14
>>>> 02:42:32.000772 ArgusOutputProcess() done with clients
>>>> Apr 2 02:42:32 argus argus[5749]: argus[5749.0097400a4c7f0000: 02 Apr
>>>> 14
>>>> 02:42:32.000790 ArgsOutputProcess() looping
>>>> Apr 2 02:42:32 argus argus[5749]: agus[5749.0097400a4c7f0000]: 02 Apr
>>>> 14
>>>> 02:42:32.000805 ArgusOutputProcess() waiting for input list
>>>>
>>>>
>>>> Or:
>>>>
>>>> Apr 2 02:42:50 argus argus[5749]: argus[5749.00f725094c7f0000]:02 Apr
>>>> 14
>>>> 02:42:50.014918 ArgusUpdateTime (0x7f4c092e1010) global time
>>>> 13962457.014812 update 1396424570.214715 returning 1
>>>> Apr 2 02:42:50 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
>>>> 14
>>>> 0242:50.014938 ArguPushFrontList (0xa0f090, 0xa0f020, 1) returning
>>>> 0x1677
>>>>
>>>>
>>>> Let me know if it miht be helpfl to get the entire log and I can send
>>>> it
>>>> to you.
>>>>
>>>> Jeff
>>>>
>>>
>>>>
>>>>
>>>> On 4/2/14, 5:45 AM, "Carter Bullar" <carter at qosient.com> wrote:
>>>>>>>> Hey Jeffrey,
>>>>> Embedded in your debug list is the statement:
>>>>>
>>>>> Mar 31 02:13:45 args argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>> Mar 14
>>>>> 02:13:45.757200 ArgusGetPackets: interface dn0 is selectable
>>>>>
>>>>> and I suspect that it is not. Just curous, do you have this line
>>>>> in your argus ./include/argus_config.h file ??
>>>>>
>>>>> #deine HAVE_PCAP_GET_SELECTABLE_FD 1
>>>>>>>>> To get past this in the short term, just hard cde the selectable
>>>>> status variable in the routineArgusGetPackets on line 3754. Here
>>>>> is a diff:
>>>>>
>>>>> diff ArgusSource.c ArgusSource.c.new
>>>>> 3756c3756
>>>> < int notselectable = 0;
>>>>> ---
>>>>>> int otselectable = 1;
>>>>>
>>>>>
>>>>> And ets see how that goes.
>>>>>
>>>>> Carter
>>>>>
>>>>>
>>>> On Apr 1, 2014, at 3:38 PM, Reynolds, Jeffrey <Reynolds at utdallas.edu>
>>>>> wrote:
>>>>>
>>>>>> Carter,
>>>>>>
>>>>>> Not sure if you got my other message ut I’ll send it here as well. I
>>>>>> looked at the log info nd I found the following out:
>>>>>>
>>>>> From STDOUT / STDERR:
>>>>>>
>>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 2:13:45.708823 ArgusCallc
>>>>>> (1,
>>>>>> 525016) returning 0x7f1ddfd42010
>>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709007
>>>>>> ArgusNewModeler()
>>>>>> returning 0x7f1ddfd42010
>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 0:13:45.709036 ArgusCalloc
>>>>>> (1,
>>>>>> 4237776)returning 0x7f1dde6f4010
>>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709055
>>>>>> ArgusNewSource(0x7f1ddfd42010) returning 0x7f1dde6f4010
>>>>>> argus[2592.0047dcdf1d7f0000]: 1 Mar 14 02:13:45.709073 ArgusCalloc
>>>>>> (1,
>>>>>> 336) returning 0x15340f0
>>>>>> argus[2592.0047dcdf1df0000]: 31 ar 14 02:13:45.709087 ArgusCalloc
>>>>>> (1,
>>>>>> 152) returning 0x1534b60
>>>>>> argus[2592.0047dcdf1d7f0000: 31 Mar 14 02:13:45.709098 ArgusNewQueue
>>>>>> ()
>>>>>> returning 0x1534b60
>>>>>> argus[2592.0047dcdf1d70000]: 31 Mar 14 02:13:45.709110 ArgusCalloc
>>>>>> (1,
>>>>> 152) returning 0x1534c00
>>>>>> rgus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709121 ArgusNewList
>>>>>> ()
>>>>>> returnin 0x1534c00
>>>>>> argus[2592.0047ddf1d7f0000]: 31 Mar 14 02:13:45.709131 ArgusCalloc
>>>>>> (1
>>>>>> 152) returning 0x1534ca0
>>>>>> argus[292.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709141 ArgusNewLit
>>>>>> ()
>>>>>> returning 0x1534ca0
>>>>>> argus[2592.0047dcdf17f0000]: 31 Mar 14 02:13:45709150
>>>>>> ArgusNewOutput()
>>>>>> returning retn 0x15340f0
>>>>>> argus[259.0047dcdf1d7f0000]: 31Mar 14 02:13:45.709171
>>>>>> setArgusMarReportInterval(60) returnng
>>>>>> argus[2592.047dcdf1d7f0000]: 31 Mar 14 02:13:45.709252
>>>>>> clearArgusDevice(0x7f1dde6f4010) returning
>>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mr 14 02:13:45.709270 ArgusCalloc
>>>>>> (1,
>>>>>> 152) returning 0x1534f80
>>>>>> argus[2592.007dcdf1d7f0000]: 31 Mar 14 02:13:45.709284 ArgusNewList
>>>>>> ()
>>>>>> returning 0x1534f80
>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709303 ArgusCalloc
>>>>>> (1,
>>>>>> 64) returning 0x1535020
>>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.79317
>>>>>> ArgusPushFrontList
>>>>>> (0x1534f80, 0x1535020, 1) returning 0xa20
>>>>>> argus[2592.0047dcd1d7f0000]: 31 Mar 14 02:13:45.709331
>>>>>> setArgusDevice(dna0) returning
>>>>>> argus[2592.0047dcdf1d7f000]: 31 Mar 14 02:13:45.709345
>>>>>> ArgusDeleteList
>>>>>> ((nil), 2) returning
>>>>>> argus[2592.0047dcf1d7f0000]: 31 Mar 14 02:13:45.709356 ArgusCalloc
>>>>>> (1,
>>>>>> 152) returning 0x1535090
>>>>>> argus[292.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709366 ArgusNewList
>>>>>> ()
>>>>>> returning 0x1535090
>>>>>> arus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709376 ArgusCalloc
>>>>>> (1,
>>>>>> 24) returning 0x1534250
>>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709386
>>>>> ArgusPushFrontList
>>>>>> (0x1535090, 0x1534250, 1) returning 0xa20
>>>>>> argus[2592.0047dcf1d7f0000]: 31 Mar 14 02:13:45.709403
>>>>>> setArgusMarReportInterval(60) returning
>>>>>> arus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709440
>>>>>> ArgusParseResourceFile (/etc/argus.conf) returning
>>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709469 ArgusFree
>>>>>> (0x1535020)
>>>>>> argu[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709480
>>>>>> clearArgusDevice(0x7f1dde6f4010) returning
>>>>>> agus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709493 ArgusCalloc
>>>>>> (1,
>>>>>> 64) returning 0x1535020>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709503
>>>>>> ArgusPushFrontList
>>>>> (0x1534f80, 0x1535020, 1) returning 0xa20
>>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 2:13:45.709514
>>>>>> setArgusDevice(dna0 ) returning
>>>>>> argus[2592.0047dcdf1d7f0000]: 31 ar 14 02:13:45.709526
>>>>>> ArgusDeleteList
>>>>>> (0x1535090, 2) 1 items on list
>>>>>> argus[2592.0047dcdfd7f0000]: 31 Mar 14 02:13:45.709537 ArgusFree
>>>>>> (0x1534250)
>>>>>> argus[2592.0047dcdfd7f0000]: 31 Mar 14 02:13:45.709549 ArgusFree
>>>>>> (0x1535090)
>>>>>> argus[2592.0047dcdf1d7f000]: 31 Mar 14 02:13:45.709559
>>>>>> ArgusDeleteList
>>>>>> (0x1535090, 2) returning
>>>>>> argus[2592.047dcdf1d7f0000]: 31 Mar 14 02:13:45.709569 ArgusCalloc
>>>>>> (1,
>>>>>> 152) returning 0x1535090
>>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709579 ArgusNewList
>>>>>> ()
>>>>>> returning 0x1535090
>>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709588 ArgusCalloc
>>>>>> (1,
>>>>>> 24) returning 0x1534250
>>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709598
>>>>>> ArgusPushFrontList
>>>>>> (0x1535090, 0x1534250, 1) returning 0xa20
>>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709609
>>>>>> setArgusInterfaceStatus(0x7f1dde6f4010, 1)
>>>>>>
>>>>>>
>>>>>>
>>>>>> Here is output from /var/log/messages:
>>>>>>
>>>>>> Mar 31 02:13:45 argus argus[2593]: 31 Mar 14 02:13:45.709952 started
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.710271 ArgusCalloc (1, 592056) returning 0x7f1ddfcb1010
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.725031 ArgusCalloc (1, 128) returning 0x15de1d0
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.725074 getArgusID(0x7f1dde6f4010) done
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.725094 getArgusIDType(0x7f1dde6f4010) done
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.725113 ArgusGenerateInitialMar() returning
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.725132 ArgusCalloc (1, 168) returning 0x15de260
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.725447 ArgusCalloc (1, 262256) returning 0x7f1ddfc70010
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.725472 ArgusCalloc (1, 152) returning 0x15de310
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.725489 ArgusNewList () returning 0x15de310
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.725506 ArgusNewSocket (4) returning 0x7f1ddfc70010
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.725548 ArgusPushBackList (0x1535090, 0x1534250, 1) returning
>>>>>> 1
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.725567 ArgusDeleteList (0x1535090, 2) 1 items on list
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.725581 ArgusFree (0x1534250)
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.725597 ArgusFree (0x1535090)
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.725610 ArgusDeleteList (0x1535090, 2) returning
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.725714 ArgusInitOutput() done
>>>>>> Mar 31 02:13:45 argus argus[2593]: 31 Mar 14 02:13:45.725789 started
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.725794 ArgusOutputProcess(0x15340f0) starting
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.725923 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.725941 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.725807 ArgusCreatePIDFile(/var/run, argus) pidpath is
>>>>>> /var/run
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.726043 ArgusPushFrontList (0x1534f80, 0x1535020, 1)
>>>>>> returning
>>>>>> 0xa21
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.726063 getArgusDevice(0x7f1dde6f4010) returning dna0
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.726606 ArgusCreatePIDFile(/var/run, argus) returning
>>>>>> /var/run/argus.dna0.0.pid
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.726651 ArgusCalloc (1, 4237776) returning 0x7f1ddd6da010
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.726670 ArgusCalloc (1, 152) returning 0x1535090
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.726684 ArgusNewList () returning 0x1535090
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.726704 ArgusCloneSource(0x7f1dde6f4010) returning
>>>>>> 0x7f1ddd6da010
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.726733 clearArgusDevice(0x7f1ddd6da010) returning
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.726757 ArgusPushBackList (0x1535090, 0x1535020, 1) returning
>>>>>> 1
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.747151 ArgusOpenInterface() pcap_open_live(dna0) returned
>>>>>> 0x15de4f0
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.754761 Arguslookup_pcap_callback(1) returning 0x412896
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.754790 ArgusOpenInterface(0x7f1ddd6da010, 'dna0') returning
>>>>>> 1
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.754807 ArgusPushBackList (0x1535090, 0x1535020, 1) returning
>>>>>> 1
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.754945 ArgusCalloc (1, 525016) returning 0x7f1ddd3bd010
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.755740 ArgusCalloc (1, 64) returning 0x15e1800
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.755778 ArgusCalloc (65536, 8) returning 0x7f1ddd33c010
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.755793 ArgusNewHashTable (65536) returning 0x15e1800
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.755807 ArgusCalloc (1, 104) returning 0x15e1850
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.755820 ArgusCalloc (1, 152) returning 0x15e18c0
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.755834 ArgusNewQueue () returning 0x15e18c0
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.755847 ArgusCalloc (1, 152) returning 0x15e1960
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.755859 ArgusNewQueue () returning 0x15e1960
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.755871 ArgusCalloc (1, 112) returning 0x15e1a00
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.755934 ArgusCalloc (1, 40) returning 0x15e1a80
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.755958 ArgusCalloc (1, 80) returning 0x15e1ab0
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.755982 ArgusCalloc (1, 1096) returning 0x15e1b10
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756011 ArgusCalloc (1, 1096) returning 0x15e1f60
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756038 ArgusCalloc (1, 1096) returning 0x15e23b0
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756066 ArgusCalloc (1, 1096) returning 0x15e2800
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756094 ArgusCalloc (1, 1096) returning 0x15e2c50
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756113 ArgusCalloc (1, 1096) returning 0x15e30a0
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756126 ArgusCalloc (1, 1096) returning 0x15e34f0
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756146 ArgusCalloc (1, 1096) returning 0x15e3940
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756167 ArgusCalloc (1, 1096) returning 0x15e3d90
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756195 ArgusCalloc (1, 1096) returning 0x15e41e0
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756219 ArgusCalloc (1, 1096) returning 0x15e4630
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756243 ArgusCalloc (1, 1096) returning 0x15e4a80
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756276 ArgusCalloc (1, 1096) returning 0x15e4ed0
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756301 ArgusCalloc (1, 1096) returning 0x15e5320
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756319 ArgusCalloc (1, 1096) returning 0x15e5770
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756334 ArgusCalloc (1, 1096) returning 0x15e5bc0
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756358 ArgusCalloc (1, 1096) returning 0x15e6010
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756384 ArgusCalloc (1, 1096) returning 0x15e6460
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756412 ArgusCalloc (1, 1096) returning 0x15e68b0
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756427 ArgusCalloc (1, 1096) returning 0x15e6d00
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756447 ArgusInitMallocList (1048) returning
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756469 ArgusInitModeler(0x7f1ddd3bd010) done
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756501 ArgusInitSource(0x7f1ddd6da010) returning 1
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756655 ArgusGetPackets (0x7f1ddd6da010) starting
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756747 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>> returning
>>>>>> 0xa23
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.756810 setArgusInterfaceStatus(0x7f1ddd6da010, 1)
>>>>>> Mar 31 02:13:45 argus argus[2593]: 31 Mar 14 02:13:45.756854
>>>>>> ArgusGetInterfaceStatus: interface dna0 is up
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.757200 ArgusGetPackets: interface dna0 is selectable
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.757233 setArgusInterfaceStatus(0x7f1ddd6da010, 1)
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.826041 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.826082 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.826097 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.826110 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.826122 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.926225 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.926264 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.926279 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.926292 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.926305 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.957631 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>>>>> 1396250025.957628 update 1396250026.157628 returning 1
>>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:45.957676 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>> returning
>>>>>> 0xa23
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.026405 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.026445 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.026460 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.026472 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.026485 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.126605 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.126644 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.126659 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.126671 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.126684 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.158386 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>>>>> 1396250026.158385 update 1396250026.357628 returning 1
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.158427 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>> returning
>>>>>> 0xa23
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.226786 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.226825 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.226843 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.226862 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.226896 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.327003 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.327042 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.327056 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.327069 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.327081 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.359104 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>>>>> 1396250026.359103 update 1396250026.557628 returning 1
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.359145 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>> returning
>>>>>> 0xa23
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.427189 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.427229 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.427243 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.427256 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.427268 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.527381 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.527420 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.527434 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.527447 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.527459 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.559826 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>>>>> 1396250026.559825 update 1396250026.757628 returning 1
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.559880 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>> returning
>>>>>> 0xa23
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.627571 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.627610 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.627625 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.627638 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.627652 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.727765 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.727804 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.727819 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.727836 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.727849 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.760559 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>>>>> 1396250026.760557 update 1396250026.957628 returning 1
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.760600 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>> returning
>>>>>> 0xa23
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.827946 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.827985 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.828000 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.828013 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.828026 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.928138 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.928177 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.928192 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.928205 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.928217 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.961354 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>>>>> 1396250026.961353 update 1396250027.157628 returning 1
>>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:46.961398 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>> returning
>>>>>> 0xa23
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.028316 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.028355 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.028370 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.028383 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.028395 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.128499 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.128538 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.128553 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.128568 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.128580 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.162074 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>>>>> 1396250027.162073 update 1396250027.357628 returning 1
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.162115 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>> returning
>>>>>> 0xa23
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.228679 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.228718 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.228737 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.228750 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.228762 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.328888 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.328927 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.328942 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.328955 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.328968 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.362797 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>>>>> 1396250027.362795 update 1396250027.557628 returning 1
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.362837 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>> returning
>>>>>> 0xa23
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.429068 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.429107 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.429122 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.429135 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.429147 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.529254 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.529293 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.529307 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.529320 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.529333 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.563527 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>>>>> 1396250027.563526 update 1396250027.757628 returning 1
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.563569 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>> returning
>>>>>> 0xa23
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.629436 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.629475 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.629489 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.629502 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.629515 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.729622 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.729662 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.729676 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.729689 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.729702 ArgusOutputProcess() waiting for input list
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.764263 ArgusUpdateTime (0x7f1ddd3bd010) global time
>>>>>> 1396250027.764262 update 1396250027.957628 returning 1
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.764304 ArgusPushFrontList (0x1535090, 0x1535020, 1)
>>>>>> returning
>>>>>> 0xa23
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.829810 ArgusOutputStatusTime(0x15340f0) done
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.829849 ArgusOutputProcess() checking out clients
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.829863 ArgusOutputProcess() done with clients
>>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
>>>>>> Mar
>>>>>> 14
>>>>>> 02:13:47.829890 ArgusOutputProcess() looping
>>>>>> Mar 31 02:13:47 argus rsyslogd-2177: imuxsock begins to drop
>>>>>> messages
>>>>>> from
>>>>>> pid 2593 due to rate-limiting
>>>>>> Mar 31 02:13:51 argus rsyslogd-2177: imuxsock lost 188 messages from
>>>>>> pid
>>>>>> 2593 due to rate-limiting
>>>>>>
>>>>>>
>>>>>>
>>>>>> Then everything after “ArgusGetPackets: interface dna0 is selectable"
>>>>>> repeats over and over again.
>>>>>>
>>>>>> Not sure if this confirms or refutes your previous statement.
>>>>>>
>>>>>> -Jeff
>>>>>>
>>>>>> On 3/30/14, 12:14 PM, "Carter Bullard" <carter at qosient.com> wrote:
>>>>>>
>>>>>>> Jeffrey,
>>>>>>> Did you create the .debug file in the argus home directory ?? This
>>>>>>> turns
>>>>>>> on
>>>>>>> debug information generation. If you didn’t do this then:
>>>>>>>
>>>>>>> % touch .debug
>>>>>>> % ./configure;make clean;make
>>>>>>>
>>>>>>> Seems like a lot of ARGUS_CAPTURE_DATA_LEN ?? I would recommend
>>>>>>> something like 128, or 256 ???
>>>>>>>
>>>>>>> I suspect that the PF_RING stuff doesn’t work with select(), and
>>>>>>> we’re
>>>>>>> sitting
>>>>>>> on a select() waiting to be notified that a packet is available to
>>>>>>> read.
>>>>>>> Your
>>>>>>> debug information should tell us if it thinks the interface is
>>>>>>> selectable
>>>>>>> or not.
>>>>>>>
>>>>>>> Carter
>>>>>>>
>>>>>>> On Mar 30, 2014, at 12:45 PM, Reynolds, Jeffrey
>>>>>>> <JReynolds at utdallas.edu>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Ok, I’ve recompiled 3.0.7.5 from unmodified source. I’m running
>>>>>>>> with
>>>>>>>> the
>>>>>>>> following config file options:
>>>>>>>>
>>>>>>>> ARGUS_FLOW_TYPE="Bidirectional"
>>>>>>>> ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
>>>>>>>> ARGUS_DAEMON=yes
>>>>>>>> ARGUS_INTERFACE=dna0
>>>>>>>> ARGUS_OUTPUT_FILE=/var/data/argus-out
>>>>>>>> ARGUS_SET_PID=yes
>>>>>>>> ARGUS_PID_PATH="/var/run"
>>>>>>>> ARGUS_FLOW_STATUS_INTERVAL=5
>>>>>>>> ARGUS_MAR_STATUS_INTERVAL=60
>>>>>>>> ARGUS_DEBUG_LEVEL=8
>>>>>>>> ARGUS_GENERATE_RESPONSE_TIME_DATA=yes
>>>>>>>> ARGUS_GENERATE_MAC_DATA=yes
>>>>>>>> ARGUS_CAPTURE_DATA_LEN=1500
>>>>>>>>
>>>>>>>>
>>>>>>>> After running:
>>>>>>>>
>>>>>>>> argus -F argus.conf
>>>>>>>>
>>>>>>>> I’m still getting 128 byte argus-out files, but I’m not seeing any
>>>>>>>> debug
>>>>>>>> information. However, /var/log/messages now shows the interface
>>>>>>>> coming
>>>>>>>> up
>>>>>>>> more in line with the what I’d expect:
>>>>>>>>
>>>>>>>> Mar 30 05:21:29 argus argus[31395]: 30 Mar 14 05:21:29.114830
>>>>>>>> started
>>>>>>>> Mar 30 05:21:29 argus argus[31395]: 30 Mar 14 05:21:29.130717
>>>>>>>> started
>>>>>>>> Mar 30 05:21:29 argus argus[31395]: 30 Mar 14 05:21:29.156439
>>>>>>>> ArgusGetInterfaceStatus: interface dna0 is up
>>>>>>>> Mar 30 05:21:46 argus argus[31395]: 30 Mar 14 05:21:46.418902
>>>>>>>> stopped
>>>>>>>>
>>>>>>>>
>>>>>>>> I checked ifconfig, and it claims that dna0 is running in PROMISC
>>>>>>>> mode.
>>>>>>>> It’s strange that I’m not seeing any debug info at the command
>>>>>>>> line
>>>>>>>> of
>>>>>>>> in
>>>>>>>> /var/log/messages. I’ve tried specifying it in the config file
>>>>>>>> and
>>>>>>>> at
>>>>>>>> the
>>>>>>>> command line, but I haven’t sen any additional output. Perhaps I
>>>>>>>> didn’t
>>>>>>>> have one of the dependencies installed when I ran the configure
>>>>>>>> script,
>>>>>>>> and something isn’t working properly? Also, I see that libpcap
>>>>>>>> can
>>>>>>>> be
>>>>>>>> recompiled with PF_Ring support. Maybe I’ve missed something
>>>>>>>> obvious
>>>>>>>> here, but as Argus seems to depend on libpcap, do I need to
>>>>>>>> recompile
>>>>>>>> it
>>>>>>>> with PF_Ring capabilities?
>>>>>>>>
>>>>>>>> -Jeff
>>>>>>>>
>>>>>>>> On 3/29/14, 10:00 AM, "Carter Bullard" <carter at qosient.com> wrote:
>>>>>>>>
>>>>>>>>> Hey Jeffery,
>>>>>>>>> Sorry for the delayed response... and thanks Craig for taking
>>>>>>>>> the
>>>>>>>>> thread
>>>>>>>>> !!! The 128 byte records are management records, which are
>>>>>>>>> basically
>>>>>>>>> keep alive like status messages for down stream readers of data.
>>>>>>>>> They
>>>>>>>>> indicate that the sensor is alive.
>>>>>>>>>
>>>>>>>>> But you definately aren't getting any packets from the
>>>>>>>>> interfaces.
>>>>>>>>>
>>>>>>>>> You
>>>>>>>>> shouldn't need to modify the source for this to work. I'm pretty
>>>>>>>>> sure
>>>>>>>>> Craig doesn't modify his. So with a standard release, run argus
>>>>>>>>> the
>>>>>>>>> way
>>>>>>>>> you think you should with the -D8 option, so we can see what is
>>>>>>>>> up
>>>>>>>>> for
>>>>>>>>> 5-10 seconds or so, and send the output to the list.
>>>>>>>>>
>>>>>>>>> We should see a statement that the interface is up. We need to
>>>>>>>>> get
>>>>>>>>> that
>>>>>>>>> far before we'll try to read packets.
>>>>>>>>>
>>>>>>>>> Carter
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> On Mar 28, 2014, at 3:42 PM, "Reynolds, Jeffrey"
>>>>>>>>>> <JReynolds at utdallas.edu> wrote:
>>>>>>>>>>
>>>>>>>>>> Ok, I¹m almost sure there are issues with Argus and the code I¹ve
>>>>>>>>>> modified. To rehash, I¹ve changed line grabbed argus-3.0.7.5
>>>>>>>>>> and
>>>>>>>>>> I¹ve
>>>>>>>>>> chagned the following line in argus/ArgusSource.c
>>>>>>>>>>
>>>>>>>>>> 4331
>>>>>>>>>>
>>>>>>>>>> - if ((strstr(device->name, "dag")) || (strstr(device->name,
>>>>>>>>>> "napa"))) {
>>>>>>>>>>
>>>>>>>>>> + if (strstr(device->name, "dag") || strstr(device->name, "nap")
>>>>>>>>>> ||
>>>>>>>>>> strstr(device->name, "dna") || (strstr(device->name, "eth") &&
>>>>>>>>>> strstr(device->name, "@"))) {
>>>>>>>>>>
>>>>>>>>>> I¹ve also tried:
>>>>>>>>>>
>>>>>>>>>> + if ((strstr(device->name, "dag")) || (strstr(device->name,
>>>>>>>>>> "nap"))
>>>>>>>>>> ||
>>>>>>>>>> (strstr(device->name, "dna")) || (strstr(device->name, "eth") &&
>>>>>>>>>> strstr(device->name, "@"))) {
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> As I wasn¹t sure if the paren the strstr statements had to be
>>>>>>>>>> enclosed
>>>>>>>>>> in
>>>>>>>>>> their own set of parens. Anyway, in both instances, I¹ll try to
>>>>>>>>>> run
>>>>>>>>>> Argus
>>>>>>>>>> and wind up with a 128 byte file. For example:
>>>>>>>>>>
>>>>>>>>>> $ argus -i dna0 -w /var/data/argus-out -s 1500
>>>>>>>>>> (wait about 20 seconds)
>>>>>>>>>> $ ls -l /var/data
>>>>>>>>>> -rw-r--r--. 1 argus argus 128 Mar 28 07:46 argus-out
>>>>>>>>>>
>>>>>>>>>> When I run with the vanilla drivers, and my interface is not
>>>>>>>>>> ³dna0²
>>>>>>>>>> but
>>>>>>>>>> ³em1², then I get better results.
>>>>>>>>>>
>>>>>>>>>> # rmmod ixgbe
>>>>>>>>>> # modprobe ixgbe #pulling from /lib/modules/`uname -r`
>>>>>>>>>>
>>>>>>>>>> $ rm argus-out
>>>>>>>>>> rm: remove regular file `argus-out'? y
>>>>>>>>>> $ argus -i em1 -w /var/data/argus-out -s 1500
>>>>>>>>>> (wait about 20 seconds)
>>>>>>>>>> $ ls -l /var/data
>>>>>>>>>> -rw-r--r--. 1 argus argus 2392260 Mar 28 07:46 argus-out
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> The real kicker seems to be in /var/log/messages. When running
>>>>>>>>>> argus
>>>>>>>>>> on
>>>>>>>>>> em1 with the original ixgbe driver, I get the following output in
>>>>>>>>>> /var/log/messages:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Mar 28 05:14:52 argus argus[23142]: 28 Mar 14 05:14:52.865660
>>>>>>>>>> started
>>>>>>>>>> Mar 28 05:14:52 argus argus[23142]: 28 Mar 14 05:14:52.882755
>>>>>>>>>> started
>>>>>>>>>> Mar 28 05:14:52 argus kernel: device em1 entered promiscuous mode
>>>>>>>>>> Mar 28 05:14:52 argus argus[23142]: 28 Mar 14 05:14:52.932220
>>>>>>>>>> ArgusGetInterfaceStatus: interface em1 is up
>>>>>>>>>> Mar 28 05:15:18 argus argus[23142]: 28 Mar 14 05:15:18.812342
>>>>>>>>>> stopped
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> However, when running with the DNA driver, the output is as
>>>>>>>>>> follows:
>>>>>>>>>>
>>>>>>>>>> Mar 28 08:33:16 argus argus[23915]: 28 Mar 14 08:33:16.967530
>>>>>>>>>> started
>>>>>>>>>> Mar 28 08:33:16 argus argus[23915]: 28 Mar 14 08:33:16.985055
>>>>>>>>>> started
>>>>>>>>>> Mar 28 08:33:50 argus argus[23915]: 28 Mar 14 08:33:50.667199
>>>>>>>>>> stopped
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Now the interface is in promiscuous mode, I can see the change in
>>>>>>>>>> received
>>>>>>>>>> packets rising considerably by just running ifconfig a few
>>>>>>>>>> times.
>>>>>>>>>> I
>>>>>>>>>> think
>>>>>>>>>> that for whatever reason, the function in Argus that outputs the
>>>>>>>>>> ³ArgusGetInterfaceStatus² line isn¹t correctly interpreting dna0
>>>>>>>>>> as
>>>>>>>>>> an
>>>>>>>>>> appropriate interface.
>>>>>>>>>>
>>>>>>>>>> Does any of this sound remotely possible?
>>>>>>>>>>
>>>>>>>>>> -Jeff
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> On 3/27/14, 7:23 PM, "Craig Merchant" <cmerchant at responsys.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hey, Jeffrey...
>>>>>>>>>>>
>>>>>>>>>>> The configuration questions for the pf_ring and ixgbe drivers
>>>>>>>>>>> may
>>>>>>>>>>> be
>>>>>>>>>>> better answered on the ntop forums... But I'll do my best.
>>>>>>>>>>> Here
>>>>>>>>>>> is
>>>>>>>>>>> how
>>>>>>>>>>> I load the drivers:
>>>>>>>>>>>
>>>>>>>>>>> insmod /lib/modules/2.6.32-220.el6.x86_64/updates/pf_ring.ko
>>>>>>>>>>> /sbin/modprobe ixgbe MQ=0,0 RSS=1,1 num_rx_slots=32768
>>>>>>>>>>>
>>>>>>>>>>> ifconfig dna0 up promisc
>>>>>>>>>>> ethtool -K dna0 tso off
>>>>>>>>>>> ethtool -K dna0 gro off
>>>>>>>>>>> ethtool -K dna0 lro off
>>>>>>>>>>> ethtool -K dna0 gso off
>>>>>>>>>>> ethtool -G dna0 tx 32768
>>>>>>>>>>> ethtool -G dna0 rx 32768
>>>>>>>>>>>
>>>>>>>>>>> One thing I'm not clear on from your config is why you are using
>>>>>>>>>>> pfdnacluster_master at all... That daemon is designed to split
>>>>>>>>>>> up
>>>>>>>>>>> flows
>>>>>>>>>>> and/or make copies of them to distribute to other applications.
>>>>>>>>>>>
>>>>>>>>>>> I
>>>>>>>>>>> don't
>>>>>>>>>>> think it's meant to aggregate two interfaces into one stream.
>>>>>>>>>>> Normally
>>>>>>>>>>> it's run with a -n parameter to tell it how many queues you want
>>>>>>>>>>> traffic
>>>>>>>>>>> divided up into. We use:
>>>>>>>>>>>
>>>>>>>>>>> pfdnacluster_master -d -c 10 -n 28,1 -m 0 -i dna0
>>>>>>>>>>>
>>>>>>>>>>> In this case, -n says "divide up one copy of the traffic into 28
>>>>>>>>>>> queues"
>>>>>>>>>>> and "create one copy of all the traffic on the last queue".
>>>>>>>>>>> The
>>>>>>>>>>> apps
>>>>>>>>>>> accessing the first 28 queues (Snort) would connect to
>>>>>>>>>>> dnacluster:10 at 0
>>>>>>>>>>> -
>>>>>>>>>>> dnacluster:10 at 27. Argus connects to dnacluster:10 at 28 and
>>>>>>>>>>> would
>>>>>>>>>>> see
>>>>>>>>>>> a
>>>>>>>>>>> copy of all of the traffic.
>>>>>>>>>>>
>>>>>>>>>>> If all you are looking to do is combine traffic from two
>>>>>>>>>>> interfaces
>>>>>>>>>>> into
>>>>>>>>>>> one, why not just run argus with -i dna0,dna1?
>>>>>>>>>>>
>>>>>>>>>>> For testing, I would try the following to see where you might
>>>>>>>>>>> be
>>>>>>>>>>> having
>>>>>>>>>>> problems:
>>>>>>>>>>>
>>>>>>>>>>> pfcount -i dna0
>>>>>>>>>>> pfcount -i dna1
>>>>>>>>>>> pfcount -i dna0,dna1
>>>>>>>>>>> pfcount -i dnacluster:10
>>>>>>>>>>> pfcount -i dnacluster:10 at 0
>>>>>>>>>>>
>>>>>>>>>>> Let me know if that helps...
>>>>>>>>>>>
>>>>>>>>>>> Craig
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>> From: Reynolds, Jeffrey [mailto:JReynolds at utdallas.edu]
>>>>>>>>>>> Sent: Thursday, March 27, 2014 3:18 PM
>>>>>>>>>>> To: Craig Merchant; Carter Bullard
>>>>>>>>>>> Cc: Argus
>>>>>>>>>>> Subject: Re: [ARGUS] Multi-Instanced Argus
>>>>>>>>>>>
>>>>>>>>>>> So I understand this is from a while ago, but here is what I
>>>>>>>>>>> have.
>>>>>>>>>>> Craig, maybe you can show me how I'm doing it wrong.
>>>>>>>>>>>
>>>>>>>>>>> I finally got PF_Ring and libzero licensed correctly so that
>>>>>>>>>>> pfdnacluster
>>>>>>>>>>> isn't limited to 5 minutes of capture. I downloaded the Argus
>>>>>>>>>>> source,
>>>>>>>>>>> installed the dependencies, and compiled after making the
>>>>>>>>>>> change
>>>>>>>>>>> you
>>>>>>>>>>> noted below. However, I don't seem to be properly attaching
>>>>>>>>>>> argus
>>>>>>>>>>> to
>>>>>>>>>>> my
>>>>>>>>>>> devices to allow it to capture. I have a feeling its something
>>>>>>>>>>> to
>>>>>>>>>>> do
>>>>>>>>>>> with my PF_Ring or dna-ixgbe conf files. We have two
>>>>>>>>>>> interfaces
>>>>>>>>>>> to
>>>>>>>>>>> monitor, which I've previously combined into one by using
>>>>>>>>>>> pfdnacluster_master. However, it looks like I can't get Argus
>>>>>>>>>>> to
>>>>>>>>>>> hook
>>>>>>>>>>> into that or a single dan interface. Anyway, after make
>>>>>>>>>>> installing,
>>>>>>>>>>> I
>>>>>>>>>>> run the following command with the following result:
>>>>>>>>>>>
>>>>>>>>>>> #pfdnacluster_master -i dna0,dna1 -c 10
>>>>>>>>>>> #argus -i dnacluster:10 -s 1500 -w /var/data/argus-out
>>>>>>>>>>>
>>>>>>>>>>> My /var/log/messages says that the specified interface doesn't
>>>>>>>>>>> exist,
>>>>>>>>>>> which I kind of expected.
>>>>>>>>>>> So I tried this (without pfdnacluster running):
>>>>>>>>>>>
>>>>>>>>>>> #argus -i dna0 -s 1500 -w /var/data/argus-out
>>>>>>>>>>>
>>>>>>>>>>> This time argus appears to have started, but my output file is
>>>>>>>>>>> not
>>>>>>>>>>> growing (it initial starts at 128 bytes and increases by that
>>>>>>>>>>> same
>>>>>>>>>>> amount
>>>>>>>>>>> every 30 seconds or so).
>>>>>>>>>>>
>>>>>>>>>>> In case this happens to be the parameters I'm loading with my
>>>>>>>>>>> kernel
>>>>>>>>>>> modules, here they are:
>>>>>>>>>>>
>>>>>>>>>>> pf_ring.ko transparenet_mode=2
>>>>>>>>>>> (I've also tried 0, with similar results) ixgbe.ko RSS=1,1,1,1
>>>>>>>>>>> (I
>>>>>>>>>>> wasn't
>>>>>>>>>>> seeing all of the traffic from my interfaces with the default
>>>>>>>>>>> config,
>>>>>>>>>>> the
>>>>>>>>>>> ntop folks recommended this, I need to dig further into the
>>>>>>>>>>> docs
>>>>>>>>>>> to
>>>>>>>>>>> learn
>>>>>>>>>>> more about these parameters).
>>>>>>>>>>>
>>>>>>>>>>> To answer your original question, I'm only monitoring about
>>>>>>>>>>> ~2Gbps,
>>>>>>>>>>> significantly less then you are. I'm not sure if what I've
>>>>>>>>>>> noticed
>>>>>>>>>>> would
>>>>>>>>>>> be considered "gaps", but we do see exchanges where the server
>>>>>>>>>>> appears
>>>>>>>>>>> to
>>>>>>>>>>> initiate conversations by sending a response to a client, which
>>>>>>>>>>> the
>>>>>>>>>>> client doesn't appear to have requested. I'm guess the missing
>>>>>>>>>>> request
>>>>>>>>>>> was most likely a packet that didn't get captured.
>>>>>>>>>>>
>>>>>>>>>>> Any configuration suggestions would be much appreciated.
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>>
>>>>>>>>>>> Jeff
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> From: Craig Merchant
>>>>>>>>>>> <cmerchant at responsys.com<mailto:cmerchant at responsys.com>>
>>>>>>>>>>> Date: Wednesday, March 12, 2014 at 6:39 PM
>>>>>>>>>>> To: Carter Bullard
>>>>>>>>>>> <carter at qosient.com<mailto:carter at qosient.com>>,
>>>>>>>>>>> Jeff
>>>>>>>>>>> Reynolds <jjr140030 at utdallas.edu<mailto:jjr140030 at utdallas.edu>>
>>>>>>>>>>> Cc: Argus
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <argus-info at lists.andrew.cmu.edu<mailto:argus-info at lists.andrew.c
>>>>>>>>>>> m
>>>>>>>>>>> u.
>>>>>>>>>>> ed
>>>>>>>>>>> u>
>>>>>>>>>>>>
>>>>>>>>>>> Subject: RE: [ARGUS] Multi-Instanced Argus
>>>>>>>>>>>
>>>>>>>>>>> We're running Argus and Snort of PF_RING's DNA/Libzero drivers.
>>>>>>>>>>>
>>>>>>>>>>> We
>>>>>>>>>>> decided to use Libzero because the standard DNA drivers limit
>>>>>>>>>>> the
>>>>>>>>>>> number
>>>>>>>>>>> of memory "queues" containing network traffic to 16. Each
>>>>>>>>>>> queue
>>>>>>>>>>> can
>>>>>>>>>>> only
>>>>>>>>>>> be accessed by a single process and our sensors have 32 cores,
>>>>>>>>>>> so
>>>>>>>>>>> we
>>>>>>>>>>> wouldn't be able to run the maximum number of Snort instances
>>>>>>>>>>> without
>>>>>>>>>>> it.
>>>>>>>>>>>
>>>>>>>>>>> We use the pfdnaclustermaster app to spread flows across 28
>>>>>>>>>>> queues
>>>>>>>>>>> for
>>>>>>>>>>> snort and also maintain a copy of all flows in a queue for
>>>>>>>>>>> Argus.
>>>>>>>>>>>
>>>>>>>>>>> To get it to work, all I had to do was make a slight edit to
>>>>>>>>>>> ArgusSource.c so that Argus would recognize DNA/Libzero queues
>>>>>>>>>>> as a
>>>>>>>>>>> valid
>>>>>>>>>>> interface.
>>>>>>>>>>>
>>>>>>>>>>> Somewhere around line 4191 (for argus 3.0.7):
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> - if ((strstr(device->name, "dag")) || (strstr(device->name,
>>>>>>>>>>> "napa"))) {
>>>>>>>>>>>
>>>>>>>>>>> + if (strstr(device->name, "dag") || strstr(device->name,
>>>>>>>>>>> "nap")
>>>>>>>>>>> ||
>>>>>>>>>>> + strstr(device->name, "dna") || (strstr(device->name, "eth") &&
>>>>>>>>>>> + strstr(device->name, "@"))) {
>>>>>>>>>>>
>>>>>>>>>>> Our data centers do around 4-8 Gbps 24/7. From what I recall,
>>>>>>>>>>> there
>>>>>>>>>>> is
>>>>>>>>>>> (or was) a bug in PF_RING that caused Argus to run at 100% all
>>>>>>>>>>> of
>>>>>>>>>>> the
>>>>>>>>>>> time, but in my experience Argus wasn't having problems keeping
>>>>>>>>>>> up
>>>>>>>>>>> with
>>>>>>>>>>> our volume of data. We did see an unusually high number of
>>>>>>>>>>> flows
>>>>>>>>>>> that
>>>>>>>>>>> Argus couldn't determine the direction of, but we weren't
>>>>>>>>>>> seeing
>>>>>>>>>>> gaps
>>>>>>>>>>> in
>>>>>>>>>>> the packets or anything else to suggest that Argus couldn't
>>>>>>>>>>> handle
>>>>>>>>>>> the
>>>>>>>>>>> volume.
>>>>>>>>>>>
>>>>>>>>>>> How much traffic are you sending at Argus? Have you tried
>>>>>>>>>>> searching
>>>>>>>>>>> your
>>>>>>>>>>> Argus records for flows that have gaps in them? That would be
>>>>>>>>>>> a
>>>>>>>>>>> pretty
>>>>>>>>>>> good indicator that Argus may have trouble keeping up. Or that
>>>>>>>>>>> your
>>>>>>>>>>> SPAN
>>>>>>>>>>> port can't handle the load...
>>>>>>>>>>>
>>>>>>>>>>> Thx.
>>>>>>>>>>>
>>>>>>>>>>> Craig
>>>>>>>>>>>
>>>>>>>>>>> From:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> argus-info-bounces+cmerchant=responsys.com at lists.andrew.cmu.edu<m
>>>>>>>>>>> a
>>>>>>>>>>> il
>>>>>>>>>>> to
>>>>>>>>>>> :a
>>>>>>>>>>> rg
>>>>>>>>>>> us-info-bounces+cmerchant=responsys.com at lists.andrew.cmu.edu>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> [mailto:argus-info-bounces+cmerchant=responsys.com at lists.andrew.c
>>>>>>>>>>> m
>>>>>>>>>>> u.
>>>>>>>>>>> ed
>>>>>>>>>>> u]
>>>>>>>>>>> On Behalf Of Carter Bullard
>>>>>>>>>>> Sent: Wednesday, March 12, 2014 1:57 PM
>>>>>>>>>>> To: Reynolds, Jeffrey
>>>>>>>>>>> Cc: Argus
>>>>>>>>>>> Subject: Re: [ARGUS] Multi-Instanced Argus
>>>>>>>>>>>
>>>>>>>>>>> Hey Jeffery,
>>>>>>>>>>> Good so far. This seem like the link for accelerating snort
>>>>>>>>>>> with
>>>>>>>>>>> PF_RING DNA ??
>>>>>>>>>>> http://www.ntop.org/pf_ring/accelerating-snort-with-pf_ring-dna/
>>>>>>>>>>>
>>>>>>>>>>> I'm interested in the symmetric RSS and if it works properly.
>>>>>>>>>>> Are you running the PF_RING DNA DAQ ????
>>>>>>>>>>>
>>>>>>>>>>> It would seem that we'll have to modify argus to use this
>>>>>>>>>>> facility
>>>>>>>>>>> ???
>>>>>>>>>>>
>>>>>>>>>>> Carter
>>>>>>>>>>>
>>>>>>>>>>> On Mar 12, 2014, at 3:26 PM, Reynolds, Jeffrey
>>>>>>>>>>> <JReynolds at utdallas.edu<mailto:JReynolds at utdallas.edu>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> First, before we dive into to it too deep, how is the
>>>>>>>>>>> performance
>>>>>>>>>>> ??
>>>>>>>>>>>
>>>>>>>>>>> This actually seems like a great place to start. Before
>>>>>>>>>>> getting
>>>>>>>>>>> too
>>>>>>>>>>> heavy into PF_RING integration, maybe I should offer a bit of
>>>>>>>>>>> backstory.
>>>>>>>>>>> Our main goal is just to archive traffic. We have a server
>>>>>>>>>>> running
>>>>>>>>>>> CentOS 6 that receives traffic from two SPAN ports. The only
>>>>>>>>>>> thing
>>>>>>>>>>> we
>>>>>>>>>>> want to accomplish is to maintain a copy of that traffic for
>>>>>>>>>>> some
>>>>>>>>>>> period
>>>>>>>>>>> of time. Argus was used because it seemed to be the best tool
>>>>>>>>>>> for
>>>>>>>>>>> the
>>>>>>>>>>> price, and it comes with a lot of great features that while we
>>>>>>>>>>> may
>>>>>>>>>>> not
>>>>>>>>>>> use now, we may use later (again, for right now all we want is
>>>>>>>>>>> a
>>>>>>>>>>> copy
>>>>>>>>>>> of
>>>>>>>>>>> the traffic to be able to perform forensics on).
>>>>>>>>>>>
>>>>>>>>>>> Now, I put up a single instance of Argus and pointed it at the
>>>>>>>>>>> interface
>>>>>>>>>>> that was the master of our two bonded physical NICs (eth0 and
>>>>>>>>>>> eth1
>>>>>>>>>>> are
>>>>>>>>>>> bonded to bond0). I let it run for an hour to get some
>>>>>>>>>>> preliminary
>>>>>>>>>>> numbers. I ran an recount against my output file and got the
>>>>>>>>>>> following
>>>>>>>>>>> stats:
>>>>>>>>>>>
>>>>>>>>>>> racount -t 2014y3m12d05h -r argus-out
>>>>>>>>>>> racount records total_pkts src_pkts dst_pkts total_bytes
>>>>>>>>>>> src_bytes
>>>>>>>>>>> dst_bytes sum 14236180 187526800 98831765 88695035 212079839908
>>>>>>>>>>> 102889789820 109190050088
>>>>>>>>>>>
>>>>>>>>>>> However, the switch the switch sending that traffic reported
>>>>>>>>>>> that
>>>>>>>>>>> it
>>>>>>>>>>> had
>>>>>>>>>>> sent a total of 421,978,297 packets to both interfaces, and a
>>>>>>>>>>> total
>>>>>>>>>>> of
>>>>>>>>>>> 371,307,051,815 bytes for that time frame. I could be
>>>>>>>>>>> interpreting
>>>>>>>>>>> something incorrectly, so maybe the best first thing for me to
>>>>>>>>>>> confirm
>>>>>>>>>>> is
>>>>>>>>>>> that we are in fact losing a lot of traffic. But it seems that
>>>>>>>>>>> a
>>>>>>>>>>> single
>>>>>>>>>>> argus instance can't keep up with the traffic. I've seen this
>>>>>>>>>>> happen
>>>>>>>>>>> with Snort, and our solution was to plug Snort into PF_RING to
>>>>>>>>>>> allow
>>>>>>>>>>> the
>>>>>>>>>>> traffic to be intelligently forwarded via the Snort Data
>>>>>>>>>>> Acquisition
>>>>>>>>>>> Library (DAQ). From the perspective of someone who hasn't had
>>>>>>>>>>> a
>>>>>>>>>>> lot
>>>>>>>>>>> of
>>>>>>>>>>> exposure to this level of hardware configuration, it was
>>>>>>>>>>> relatively
>>>>>>>>>>> easy
>>>>>>>>>>> to plug the configuration parameters in at the Snort command
>>>>>>>>>>> line
>>>>>>>>>>> to
>>>>>>>>>>> have
>>>>>>>>>>> them all point at the same traffic source so that each
>>>>>>>>>>> individual
>>>>>>>>>>> process
>>>>>>>>>>> didn't run through the same traffic. My hope was that there
>>>>>>>>>>> might
>>>>>>>>>>> just
>>>>>>>>>>> be some parameters to set within the argus.conf file which
>>>>>>>>>>> would
>>>>>>>>>>> tell
>>>>>>>>>>> each process to pull from a single PF_RING source. However, it
>>>>>>>>>>> looks
>>>>>>>>>>> like this might not be as easy as I had once thought.
>>>>>>>>>>>
>>>>>>>>>>> Am I on the right track or does this make even a little sense?
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>>
>>>>>>>>>>> Jeff
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> From: Carter Bullard
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <carter at qosient.com<mailto:carter at qosient.com><mailto:carter at qosi
>>>>>>>>>>> e
>>>>>>>>>>> nt
>>>>>>>>>>> .c
>>>>>>>>>>> om
>>>>>>>>>>>>>
>>>>>>>>>>> Date: Wednesday, March 12, 2014 at 9:54 AM
>>>>>>>>>>> To: "Reynolds, Jeffrey"
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <JReynolds at utdallas.edu<mailto:JReynolds at utdallas.edu><mailto:JRe
>>>>>>>>>>> y
>>>>>>>>>>> no
>>>>>>>>>>> ld
>>>>>>>>>>> s@
>>>>>>>>>>> ut
>>>>>>>>>>> dallas.edu>>
>>>>>>>>>>> Cc: Argus
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <argus-info at lists.andrew.cmu.edu<mailto:argus-info at lists.andrew.c
>>>>>>>>>>> m
>>>>>>>>>>> u.
>>>>>>>>>>> ed
>>>>>>>>>>> u>
>>>>>>>>>>> <m
>>>>>>>>>>> ailto:argus-info at lists.andrew.cmu.edu>>
>>>>>>>>>>> Subject: Re: [ARGUS] Multi-Instanced Argus
>>>>>>>>>>>
>>>>>>>>>>> Hey Jeffrey,
>>>>>>>>>>> I am very interested in this approach, but I have no experience
>>>>>>>>>>> with
>>>>>>>>>>> this
>>>>>>>>>>> PF_RING feature, so I'll have to give you the "design response".
>>>>>>>>>>> Hopefully, we can get this to where its doing exactly what
>>>>>>>>>>> anyone
>>>>>>>>>>> would
>>>>>>>>>>> want it to do, and get us a really fast argus, on the cheap.
>>>>>>>>>>>
>>>>>>>>>>> First, before we dive into to it too deep, how is the
>>>>>>>>>>> performance
>>>>>>>>>>> ??
>>>>>>>>>>> Are
>>>>>>>>>>> you getting bi-directional flows out of this scheme ?? Are you
>>>>>>>>>>> seeing
>>>>>>>>>>> all the traffic ??? If so, then congratulations !!! If the
>>>>>>>>>>> performance
>>>>>>>>>>> is good, your seeing all the traffic, but you're only getting
>>>>>>>>>>> uni-directional flows, then we may have some work to do, but
>>>>>>>>>>> still
>>>>>>>>>>> congratulations !!! If you're not getting all the traffic then
>>>>>>>>>>> we
>>>>>>>>>>> have
>>>>>>>>>>> some real work to do, as one of the purposes of argus is to
>>>>>>>>>>> monitor
>>>>>>>>>>> all
>>>>>>>>>>> the traffic.
>>>>>>>>>>>
>>>>>>>>>>> OK, so my understanding is that the PF_RING can do some packet
>>>>>>>>>>> routing
>>>>>>>>>>> to
>>>>>>>>>>> a non-overlapping set of tap interfaces. Routing is based on
>>>>>>>>>>> some
>>>>>>>>>>> classification scheme, designed to make this usable. The
>>>>>>>>>>> purpose
>>>>>>>>>>> is
>>>>>>>>>>> to
>>>>>>>>>>> provide coarse grain parallelism for packet processing. The
>>>>>>>>>>> idea,
>>>>>>>>>>> as
>>>>>>>>>>> much as I can tell, is to prevent multiple readers from having
>>>>>>>>>>> to
>>>>>>>>>>> read
>>>>>>>>>>> from the same queue; eliminating locking issues, which kills
>>>>>>>>>>> performance
>>>>>>>>>>> etc...
>>>>>>>>>>>
>>>>>>>>>>> So, I'm not sure what you mean by "pulling from the same
>>>>>>>>>>> queue".
>>>>>>>>>>>
>>>>>>>>>>> If
>>>>>>>>>>> you
>>>>>>>>>>> do have multiple argi reading the same packet, you will end up
>>>>>>>>>>> counting a
>>>>>>>>>>> single packet multiple times. Not a terrible thing, but not
>>>>>>>>>>> recommended.
>>>>>>>>>>> Its not that you're creating multiple observation domains using
>>>>>>>>>>> this
>>>>>>>>>>> PF_RING technique. You're really splitting a single packet
>>>>>>>>>>> observation
>>>>>>>>>>> domain into a multi-sensor facility ... eventually you will
>>>>>>>>>>> want
>>>>>>>>>>> to
>>>>>>>>>>> combine the total argus output into a single output stream, that
>>>>>>>>>>> represents the single packet observation domain. At least that
>>>>>>>>>>> is
>>>>>>>>>>> my
>>>>>>>>>>> thinking, and I would recommend that you use radium to connect
>>>>>>>>>>> to
>>>>>>>>>>> all
>>>>>>>>>>> of
>>>>>>>>>>> your argus instances, rather than writing the argus output to a
>>>>>>>>>>> set
>>>>>>>>>>> of
>>>>>>>>>>> files. Radium will generate a single argus data output stream,
>>>>>>>>>>> representing the argus data from the single observation domain.
>>>>>>>>>>>
>>>>>>>>>>> The design issue of using the PF_RING function is "how is
>>>>>>>>>>> PF_RING
>>>>>>>>>>> classifying packets to do the routing?".
>>>>>>>>>>> We would like for it to send packets that belong to the same
>>>>>>>>>>> bi-directional flow to the same virtual interface, so argus can
>>>>>>>>>>> do
>>>>>>>>>>> its
>>>>>>>>>>> bi-directional thing. PF_RING claims that you can provide your
>>>>>>>>>>> own
>>>>>>>>>>> classifier logic, which we can do to make this happen. We have
>>>>>>>>>>> a
>>>>>>>>>>> pretty
>>>>>>>>>>> fast bidirectional hashing scheme which we can try out.
>>>>>>>>>>>
>>>>>>>>>>> We have a number of people that are using netmap instead of
>>>>>>>>>>> PF_RING.
>>>>>>>>>>> My
>>>>>>>>>>> understanding is that it also has this same type of feature.
>>>>>>>>>>> If
>>>>>>>>>>> we
>>>>>>>>>>> can
>>>>>>>>>>> get some people talking about that, that would help a bit.
>>>>>>>>>>>
>>>>>>>>>>> Carter
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Mar 12, 2014, at 1:03 AM, Reynolds, Jeffrey
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <JReynolds at utdallas.edu<mailto:JReynolds at utdallas.edu><mailto:JRe
>>>>>>>>>>> y
>>>>>>>>>>> no
>>>>>>>>>>> ld
>>>>>>>>>>> s@
>>>>>>>>>>> ut
>>>>>>>>>>> dallas.edu>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Howdy All,
>>>>>>>>>>>
>>>>>>>>>>> So after forever and a day, I've finally found time to start
>>>>>>>>>>> working
>>>>>>>>>>> on
>>>>>>>>>>> my multi-instanced argus configuration. Here is my setup:
>>>>>>>>>>>
>>>>>>>>>>> -CentOS 6.5 x64
>>>>>>>>>>> -pfring driver compiled from source
>>>>>>>>>>> -pfring capable Intel NICs (currently using the ixgbe driver
>>>>>>>>>>> version
>>>>>>>>>>> 3.15.1-k) (these NICs are in a bonded configuration under a
>>>>>>>>>>> device
>>>>>>>>>>> named
>>>>>>>>>>> bond0)
>>>>>>>>>>>
>>>>>>>>>>> I've configured my startup script to start 5 instances of
>>>>>>>>>>> Argus,
>>>>>>>>>>> each
>>>>>>>>>>> with there own /etc/argusX.conf file (argus1.conf, argus2.conf,
>>>>>>>>>>> etc).
>>>>>>>>>>> The start up script correctly assigns the proper pid file to
>>>>>>>>>>> each
>>>>>>>>>>> instance, and everything starts and stops smoothly. Each
>>>>>>>>>>> instance
>>>>>>>>>>> is
>>>>>>>>>>> writing an output file to /var/argus in the format of
>>>>>>>>>>> argusX.out.
>>>>>>>>>>> When I
>>>>>>>>>>> first tried running my argus instances, I ran them with a
>>>>>>>>>>> version
>>>>>>>>>>> of
>>>>>>>>>>> PF_RING I had installed from an RPM obtained from the ntop repo.
>>>>>>>>>>> Things
>>>>>>>>>>> didn't seem to work correctly, so I tried again after I had
>>>>>>>>>>> compiled
>>>>>>>>>>> from
>>>>>>>>>>> source. After compiling from source, I got the following
>>>>>>>>>>> output
>>>>>>>>>>> in
>>>>>>>>>>> /var/log/messages when I started argus:
>>>>>>>>>>>
>>>>>>>>>>> Mar 11 17:48:16 argus kernel: No module found in object Mar 11
>>>>>>>>>>> 17:49:16
>>>>>>>>>>> argus kernel: [PF_RING] Welcome to PF_RING 5.6.3 ($Revision:
>>>>>>>>>>> 7358$)
>>>>>>>>>>> Mar
>>>>>>>>>>> 11 17:49:16 argus kernel: (C) 2004-14
>>>>>>>>>>> ntop.org<http://ntop.org/><http://ntop.org<http://ntop.org/>>
>>>>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] registered
>>>>>>>>>>> /proc/net/pf_ring/
>>>>>>>>>>> Mar
>>>>>>>>>>> 11 17:49:16 argus kernel: NET: Registered protocol family 27
>>>>>>>>>>> Mar
>>>>>>>>>>> 11
>>>>>>>>>>> 17:49:16 argus kernel: [PF_RING] Min # ring slots 4096
>>>>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] Slot version 15
>>>>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] Capture TX Yes
>>>>>>>>>>> [RX+TX]
>>>>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] Transparent Mode 0
>>>>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] IP Defragment No
>>>>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] Initialized correctly
>>>>>>>>>>> Mar
>>>>>>>>>>> 11
>>>>>>>>>>> 17:49:35 argus kernel: Bluetooth: Core ver 2.15 Mar 11 17:49:35
>>>>>>>>>>> argus
>>>>>>>>>>> kernel: NET: Registered protocol family 31 Mar 11 17:49:35 argus
>>>>>>>>>>> kernel:
>>>>>>>>>>> Bluetooth: HCI device and connection manager initialized Mar 11
>>>>>>>>>>> 17:49:35
>>>>>>>>>>> argus kernel: Bluetooth: HCI socket layer initialized Mar 11
>>>>>>>>>>> 17:49:35
>>>>>>>>>>> argus kernel: Netfilter messages via NETLINK v0.30.
>>>>>>>>>>> Mar 11 17:49:35 argus argus[13918]: 11 Mar 14 17:49:35.643243
>>>>>>>>>>> started
>>>>>>>>>>> Mar
>>>>>>>>>>> 11 17:49:35 argus argus[13918]: 11 Mar 14 17:49:35.693930
>>>>>>>>>>> started
>>>>>>>>>>> Mar
>>>>>>>>>>> 11
>>>>>>>>>>> 17:49:35 argus kernel: device bond0 entered promiscuous mode
>>>>>>>>>>> Mar
>>>>>>>>>>> 11
>>>>>>>>>>> 17:49:35 argus kernel: device em1 entered promiscuous mode Mar
>>>>>>>>>>> 11
>>>>>>>>>>> 17:49:35 argus kernel: device em2 entered promiscuous mode Mar
>>>>>>>>>>> 11
>>>>>>>>>>> 17:49:35 argus argus[13918]: 11 Mar 14 17:49:35.721490
>>>>>>>>>>> ArgusGetInterfaceStatus: interface bond0 is up Mar 11 17:49:36
>>>>>>>>>>> argus
>>>>>>>>>>> argus[13922]: 11 Mar 14 17:49:36.349202 started Mar 11 17:49:36
>>>>>>>>>>> argus
>>>>>>>>>>> argus[13922]: 11 Mar 14 17:49:36.364625 started Mar 11 17:49:36
>>>>>>>>>>> argus
>>>>>>>>>>> argus[13922]: 11 Mar 14 17:49:36.383623 ArgusGetInterfaceStatus:
>>>>>>>>>>> interface bond0 is up Mar 11 17:49:37 argus argus[13926]: 11
>>>>>>>>>>> Mar
>>>>>>>>>>> 14
>>>>>>>>>>> 17:49:37.045224 started Mar 11 17:49:37 argus argus[13926]: 11
>>>>>>>>>>> Mar
>>>>>>>>>>> 14
>>>>>>>>>>> 17:49:37.060689 started Mar 11 17:49:37 argus argus[13926]: 11
>>>>>>>>>>> Mar
>>>>>>>>>>> 14
>>>>>>>>>>> 17:49:37.079706 ArgusGetInterfaceStatus: interface bond0 is up
>>>>>>>>>>> Mar
>>>>>>>>>>> 11
>>>>>>>>>>> 17:49:37 argus argus[13930]: 11 Mar 14 17:49:37.753278 started
>>>>>>>>>>> Mar
>>>>>>>>>>> 11
>>>>>>>>>>> 17:49:37 argus argus[13930]: 11 Mar 14 17:49:37.768613 started
>>>>>>>>>>> Mar
>>>>>>>>>>> 11
>>>>>>>>>>> 17:49:37 argus argus[13930]: 11 Mar 14 17:49:37.785691
>>>>>>>>>>> ArgusGetInterfaceStatus: interface bond0 is up Mar 11 17:49:38
>>>>>>>>>>> argus
>>>>>>>>>>> argus[13934]: 11 Mar 14 17:49:38.449229 started Mar 11 17:49:38
>>>>>>>>>>> argus
>>>>>>>>>>> argus[13934]: 11 Mar 14 17:49:38.466365 started Mar 11 17:49:38
>>>>>>>>>>> argus
>>>>>>>>>>> argus[13934]: 11 Mar 14 17:49:38.485675 ArgusGetInterfaceStatus:
>>>>>>>>>>> interface bond0 is up
>>>>>>>>>>>
>>>>>>>>>>> Aside from the "No module found in object" error, everything
>>>>>>>>>>> seems
>>>>>>>>>>> like
>>>>>>>>>>> its working Ok. The only problem is that I don't seem to have
>>>>>>>>>>> my
>>>>>>>>>>> argus
>>>>>>>>>>> instances configured to pull traffic from the same queue. In
>>>>>>>>>>> other
>>>>>>>>>>> words, I have five output files from five argus instances with
>>>>>>>>>>> like
>>>>>>>>>>> traffic in all of them. I haven't made any changes to my argus
>>>>>>>>>>> config
>>>>>>>>>>> files, aside from telling them to write to different locations
>>>>>>>>>>> and
>>>>>>>>>>> the
>>>>>>>>>>> name of the interface. I know I'm missing something but I'm not
>>>>>>>>>>> quite
>>>>>>>>>>> sure what it is. If someone might be able to tell me how to
>>>>>>>>>>> configure
>>>>>>>>>>> these five instances to pull from the same PF_RING queue, I'd
>>>>>>>>>>> be
>>>>>>>>>>> mighty
>>>>>>>>>>> obliged. Let me know if I need to submit any additional
>>>>>>>>>>> information.
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>>
>>>>>>>>>>> Jeff Reynolds
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140417/fd463920/attachment.bin>
More information about the argus
mailing list