Argus-info Digest, Vol 104, Issue 31
Carter Bullard
carter at qosient.com
Fri Apr 18 08:29:26 EDT 2014
Hey CS Lee,
We have the whole gamut of operations for AS numbers.
We do support native filtering on AS numbers for the clients:
ra -b - src as 7788
(000) ld dsr[21][4]
(001) jeq #0x1e6c jt 2 jf 3
(002) ret #150
(003) ret #0
But it hasn't made it into the ra.1 man page as a filter primitive.
So I’ll add that.
You can sort on AS, and that is in the resort.1 man page.
Printing is supported, and that is in the ra.1 man page.
Aggregating on AS is supported, and that is described in the racluster.1 man page.
We support src, dst and intermediate AS number processing.
So if a flow has an ICMP packet returned during its lifetime, the source
of the ICMP packet is the intermediate address. We support
AS number processing for those addresses.
Carter
On Apr 17, 2014, at 11:58 PM, CS Lee <geek00l at gmail.com> wrote:
> hi James,
>
> I don't think argus client has native filter to support AS filtering, even though you can do
>
> - host 1.2.3.4 for IP filtering
>
> But you can't do say
>
> - as 7788 for AS filtering yet(maybe Carter can add this feature?)
>
> However what we did inhouse is rather simple, as we have dumped the data into mysql db using rasqlinsert, so we did the topN and filtering using mysql instead. Hope it helps ;)
>
> Cheers!
>
>
>
>
> On Fri, Apr 18, 2014 at 5:44 AM, <argus-info-request at lists.andrew.cmu.edu> wrote:
> Send Argus-info mailing list submissions to
> argus-info at lists.andrew.cmu.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
> or, via email, send a message with subject or body 'help' to
> argus-info-request at lists.andrew.cmu.edu
>
> You can reach the person managing the list at
> argus-info-owner at lists.andrew.cmu.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Argus-info digest..."
>
>
> Today's Topics:
>
> 1. AS Number filtering (James Grace)
> 2. Re: AS Number filtering (Jesse Bowling)
> 3. Re: AS Number filtering (James Grace)
> 4. Re: Multi-Instanced Argus (Carter Bullard)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 17 Apr 2014 16:04:20 -0400
> From: James Grace <jgrac002 at fiu.edu>
> Subject: [ARGUS] AS Number filtering
> To: argus-info <argus-info at lists.andrew.cmu.edu>
> Message-ID:
> <CAJEyGy_Kwd-V+c5Mu8AY8UqssO8U9iHFu=jvjTY3P9BcQ=vkhg at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Good afternoon, list,
>
> Is there anyway to get AS information from an Argus-client? I've done
> racluster type top-talkers using VID, IP address, and Protocol, but does
> Argus have the capability to scale up to Layer 4?
>
> Cheers,
>
> James
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140417/703969fe/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Thu, 17 Apr 2014 16:26:28 -0400
> From: Jesse Bowling <jessebowling at gmail.com>
> Subject: Re: [ARGUS] AS Number filtering
> To: James Grace <jgrac002 at fiu.edu>
> Cc: argus-info <argus-info at lists.andrew.cmu.edu>
> Message-ID:
> <CAGFhEnmWdhYwt7ZoJgAtffTj=P8LxNCyqyJceqm-oXrBpN-dgQ at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi James,
>
> Check out this thread and it may help you along:
>
> http://comments.gmane.org/gmane.network.argus/10220
>
> Cheers,
>
> Jesse
>
>
> On Thu, Apr 17, 2014 at 4:04 PM, James Grace <jgrac002 at fiu.edu> wrote:
>
> > Good afternoon, list,
> >
> > Is there anyway to get AS information from an Argus-client? I've done
> > racluster type top-talkers using VID, IP address, and Protocol, but does
> > Argus have the capability to scale up to Layer 4?
> >
> > Cheers,
> >
> > James
> >
> >
>
>
> --
> Jesse Bowling
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140417/fb5f886f/attachment-0001.html
>
> ------------------------------
>
> Message: 3
> Date: Thu, 17 Apr 2014 16:42:42 -0400
> From: James Grace <jgrac002 at fiu.edu>
> Subject: Re: [ARGUS] AS Number filtering
> To: Jesse Bowling <jessebowling at gmail.com>
> Cc: argus-info <argus-info at lists.andrew.cmu.edu>
> Message-ID:
> <CAJEyGy_Suz8n61rkVe0PK+vpcdrrATejwxb5CaGquz3NOQhwRg at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Thanks for the link. I'll RTFM and see if I run into any troubles.
>
> James
> On Apr 17, 2014 4:36 PM, "Jesse Bowling" <jessebowling at gmail.com> wrote:
>
> > Hi James,
> >
> > Check out this thread and it may help you along:
> >
> > http://comments.gmane.org/gmane.network.argus/10220
> >
> > Cheers,
> >
> > Jesse
> >
> >
> > On Thu, Apr 17, 2014 at 4:04 PM, James Grace <jgrac002 at fiu.edu> wrote:
> >
> >> Good afternoon, list,
> >>
> >> Is there anyway to get AS information from an Argus-client? I've done
> >> racluster type top-talkers using VID, IP address, and Protocol, but does
> >> Argus have the capability to scale up to Layer 4?
> >>
> >> Cheers,
> >>
> >> James
> >>
> >>
> >
> >
> > --
> > Jesse Bowling
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140417/be90efb8/attachment-0001.html
>
> ------------------------------
>
> Message: 4
> Date: Thu, 17 Apr 2014 17:44:14 -0400
> From: Carter Bullard <carter at qosient.com>
> Subject: Re: [ARGUS] Multi-Instanced Argus
> To: "Reynolds, Jeffrey" <JReynolds at utdallas.edu>
> Cc: Argus <argus-info at lists.andrew.cmu.edu>
> Message-ID: <4785A7DA-22CC-4D96-A2B9-AC99B2183312 at qosient.com>
> Content-Type: text/plain; charset="euc-kr"
>
> Hey Jeff,
> The ?&&? is definitely wrong. With the && your saying that the string has to
> match two values at the same time, every time ( A || B || C || D) && E.
> Put in ? || ?, since you are asking is it any of these strings ?? You
> definitely want ( A || B || C || D || E).
>
> Carter
>
> On Apr 17, 2014, at 12:48 PM, Reynolds, Jeffrey <JReynolds at utdallas.edu> wrote:
>
> > Actually, never mind. Just went back nd checked to see that Craig?s
> > change was effectually A || B || (C && D). So kinda back to quare one
> > with that.
> >
> > Jeff
> >
> > On 4/17/14, 11:45 AM, "Reynolds, Jeffrey" <jjr140030 at utdallas.edu> wrote
> >
> >> The problem is still stuck at not being able to see any packets from the
> >> DNA interface.
> >>
> >> ith the oriinal source, I get deug output stating that the interface is
> >> selectable, as well as the output sent
> >>
> >> When I run with the ource code modification suggested by Craig, (which
> >> hasn?t been run in debug mode yet, /var/log/messages fails to report that
> >> the interface is being put into promiscuous mode. This in and of itsef
> >> doesn?t seem like it would necessarily be a big thing,as the interfaces
> >> are already in PROMISC according to fconfig, but still no packets get
> >> aptured.
> >>
> >> When I run with the source code modification where I har code the
> >> ?notselectable? variale, the output comes back that the interface is not
> >> selectable, and still n packets.
> >>
> >> I have yet to run with the mod that you just sent, bu it might be awhile
> >> before I have time to really try that out. I?m a little hesitant to put a
> >> lot of fith in it though, as the conditional to
> >> ?
> >> actually, what would the order of operations b there?
> >>
> >> With (A || B || C && D), would that be true with conditions A, B, or CD;
> >> or would that betrue with conditions AD, BD, or CD? If the latter is
> >> correct, then the original mod might have been eactly what I needed, with
> >> just a little logic tweak. I?ll check it out later.
> >>
> >> Jeff
> >>
> >> On 4/14/14, 11:29 AM, "Carter Bullard" <carter at qosient.com> wrote:
> >>
> >>> Hey Jeff,
> >>> So where are we on this problem ???
> >>> Its pretty clear thatyou aren?t getting any packets.
> >>>
> >>> The modification that you tried to the source wasn?t good logic,
> >>> with the?&&?, it should be a ?||?, of course.
> >>>
> >>> 4331
> >>>
> >>> - if ((strstr(device->name, "dag")) || (strstr(device->name, "napa"))) {
> >>>
> >>> + if (strstr(device->name, "dag") || strstr(device->name, "nap") |
> >>> strstr(device->name, "dna") || (strstr(device->name, "eth") &&
> >>> strstr(device->nae, "@"))) {
> >>>
> >>> should be
> >>>
> >>> + if (strstr(device->name, "dag") || strstr(device->name, "nap") ||
> >> strstr(device->name, "da") || (strstr(device->name, "eth") ||
> >>> strstr(device->name, "@"))) {
> >>>
> >>> Still having problems ???
> >>>
> >>> Carter
> >>>
> >>> On Apr 2, 2014, at 10:26 M, Reynolds, Jeffrey <JReynolds at utallas.edu>
> >>> wrote:
> >>>
> >>>> Carter,
> >>>>
> >>>> Thanks fr your response. The #define line is in
> >>>> ./include/argus_config.h, line 192. I made he modification you
> >>>> suggested, and stillo data is being writte. For sanity?s sake, here
> >>>> is
> >>>> the change I made:
> >>>>
> >>>> #Old File
> >>>> 3750:#if !defined(CGWIN)
> >>> 3751:#if defined(ARGUS_PLURIBUS)
> >>>> 3752:int notselectable = 1;
> >>>> 3753:#else
> >>>> 3754:in notselectable = 0;
> >>>> 3755:#endif
> >>>> 3756:#endif
> >>>>
> >>>>
> >>>> #New File
> >>>> 3750:#if !defined(CYGWIN)
> >>>>
> >>>> 371:#if defined(ARGUS_PLURIBUS)
> >>>> 3752:int notslectable = 1;
> >>>> 3753:#else
> >>>> 3754:int notselectable = 1;
> >>>> 3755:#endif
> >>>> 3756:#endi
> >>>
> >>>>
> >>>>
> >>>> Checking the output in /var/log/messages, it seems the change made dna0
> >>>> not elctable
> >>>>
> >>>> Apr 2 02:42:20 argus argus[5749]: 02 Apr 14 02:42:20.613894
> >>>> ArgusGetInterfceStatus: interface dna0 is up
> >>>> Apr 2 02:42:20argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
> >>>> 14
> >>>> 02:42:20.614645 ArgusGetPackets: interfae dna0 is no selectable
> >>>> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f7250947f0000]: 0 Apr
> >>>> 14
> >>>> 02:42:20.61465 setArgusInterfaceStatus(0x7f4c095fe010, 1)
> >>>> Apr 2 02:42:20 argus agus[5749]:argus[5749.00f725094c7f0000]: 02 Apr
> >>>> 14
> >>>> 02:42:20.614829 ArgusUpdateTime (x7f4c092e1010) global tim
> >>>> 1396424540.614715 update 1396424540.814715 returning 1
> >>>> pr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
> >>>> 14
> >>>> 02:42:20.614854 AgusPushFrontList (0xa0f090, 0xa0f020, 1) returning
> >>>> 0x1677
> >>> Apr 2 02:42:20 argus rgus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
> >>>> 14
> >>>> 02:42:20.615672 ArgusUpdateTime (0x7f4c092e110) not time
> >>>> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
> >>>> 14
> >>>> 02:42:20.615809 ArgusUpdateTime (0x7f4c092e1010) not time
> >>>> Apr 2 02:42:20 argus argus[5749]: args[5749.00f725094c7f0000]: 02 Apr
> >>>> 14
> >>>> 02:42:20.615940 AgusUpdateTime (0x7f4c092e110) not time
> >>>> Apr 2 02:42:20 argus argus[5749]: argus[574900f725094c7f0000]: 02 Apr
> >>>> 14
> >>> 02:42:20.616070 ArgusUpdateTime (0x7f4c092e1010) not time
> >>>> Apr 2 02:42:20 argus argus[5749]: argus5749.00f725094c7f0000]: 02 Apr
> >>>> 14
> >>>> 02:42:20.616200 ArgusUpdateTime (07f4c092e1010) nt time
> >>>> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
> >>>> 1
> >>>> 02:42:20.616313 ArgusUpdateTime (0x7f4c092e1010) not time
> >>>> Apr 2 0242:20 argus argus[5749]: argus[5749.00f72594c7f0000]: 02 Apr
> >>>> 14
> >>>> 02:42:20.616443 ArgusUpdateTime (0x7f4c092e1010) not time
> >>>> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000: 02 Apr
> >>>> 14
> >>>> 02:42:20.616572 ArgusUpdateTime (0x7f4c092e1010) not time
> >>>> Apr 2 02:42:20 argus argus5749]: argus[5749.00f725094c7f0000]: 02 Apr
> >>>> 14
> >>>> 02:42:20.616705 ArgusUpdateTime (0xf4c092e1010) not time
> >>>> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
> >>>> 14
> >>>> 02:4:20.616834 ArguspdateTime (0x7f4c092e1010) not time
> >>>> Apr 2 02:42:20 argus argus[5749]: argus[5749.00f725094c7f0000]:02 Apr
> >>>> 14
> >>>> 02:42:20.66963 ArgusUpdateTime (0x7f4c092e1010) not time
> >>>> Apr 2 02:4:20 argus argus[5749]: argus5749.00f725094c7f0000]: 02 Apr
> >>>> 14
> >>>> 02:42:20.617092 ArgusUpdateTime (0x7f4c092e1010) not time
> >>>>
> >>>>
> >>>> What follows are a ton of the ArgusUpdaeTime lines, interspersed with:
> >>>>
> >>>> Apr 2 02:42:20 argus rsysogd-2177: imuxsock begins to drop messas
> >>>> from
> >>>> pid 5749 due to rate-limiting
> >>>> Apr 2 02:42:26 argus rsyslogd-277: imuxsock lost 43018 messages from
> >>>> pid
> >>>> 5749 due to rate-limiting
> >>>>
> >>>>
> >>>> And stuff like:
> >>>>
> >>>> Apr 2 02:42:32 argus argus[5749]: argus[5749.0097400a4c7f0000]: 02 Apr
> >>>> 14
> >>>> 02:42:32.000755 ArgusOutputProcss() checking out clients
> >>>> Apr 2 02:42:32 argus argus[5749]: argus[5749.0097400a4c7f0000]: 02 Apr
> >>>> 14
> >>>> 02:42:32.000772 ArgusOutputProcess() done with clients
> >>>> Apr 2 02:42:32 argus argus[5749]: argus[5749.0097400a4c7f0000: 02 Apr
> >>>> 14
> >>>> 02:42:32.000790 ArgsOutputProcess() looping
> >>>> Apr 2 02:42:32 argus argus[5749]: agus[5749.0097400a4c7f0000]: 02 Apr
> >>>> 14
> >>>> 02:42:32.000805 ArgusOutputProcess() waiting for input list
> >>>>
> >>>>
> >>>> Or:
> >>>>
> >>>> Apr 2 02:42:50 argus argus[5749]: argus[5749.00f725094c7f0000]:02 Apr
> >>>> 14
> >>>> 02:42:50.014918 ArgusUpdateTime (0x7f4c092e1010) global time
> >>>> 13962457.014812 update 1396424570.214715 returning 1
> >>>> Apr 2 02:42:50 argus argus[5749]: argus[5749.00f725094c7f0000]: 02 Apr
> >>>> 14
> >>>> 0242:50.014938 ArguPushFrontList (0xa0f090, 0xa0f020, 1) returning
> >>>> 0x1677
> >>>>
> >>>>
> >>>> Let me know if it miht be helpfl to get the entire log and I can send
> >>>> it
> >>>> to you.
> >>>>
> >>>> Jeff
> >>>>
> >>>
> >>>>
> >>>>
> >>>> On 4/2/14, 5:45 AM, "Carter Bullar" <carter at qosient.com> wrote:
> >>>>>>>> Hey Jeffrey,
> >>>>> Embedded in your debug list is the statement:
> >>>>>
> >>>>> Mar 31 02:13:45 args argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>> Mar 14
> >>>>> 02:13:45.757200 ArgusGetPackets: interface dn0 is selectable
> >>>>>
> >>>>> and I suspect that it is not. Just curous, do you have this line
> >>>>> in your argus ./include/argus_config.h file ??
> >>>>>
> >>>>> #deine HAVE_PCAP_GET_SELECTABLE_FD 1
> >>>>>>>>> To get past this in the short term, just hard cde the selectable
> >>>>> status variable in the routineArgusGetPackets on line 3754. Here
> >>>>> is a diff:
> >>>>>
> >>>>> diff ArgusSource.c ArgusSource.c.new
> >>>>> 3756c3756
> >>>> < int notselectable = 0;
> >>>>> ---
> >>>>>> int otselectable = 1;
> >>>>>
> >>>>>
> >>>>> And ets see how that goes.
> >>>>>
> >>>>> Carter
> >>>>>
> >>>>>
> >>>> On Apr 1, 2014, at 3:38 PM, Reynolds, Jeffrey <Reynolds at utdallas.edu>
> >>>>> wrote:
> >>>>>
> >>>>>> Carter,
> >>>>>>
> >>>>>> Not sure if you got my other message ut I?ll send it here as well. I
> >>>>>> looked at the log info nd I found the following out:
> >>>>>>
> >>>>> From STDOUT / STDERR:
> >>>>>>
> >>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 2:13:45.708823 ArgusCallc
> >>>>>> (1,
> >>>>>> 525016) returning 0x7f1ddfd42010
> >>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709007
> >>>>>> ArgusNewModeler()
> >>>>>> returning 0x7f1ddfd42010
> >>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 0:13:45.709036 ArgusCalloc
> >>>>>> (1,
> >>>>>> 4237776)returning 0x7f1dde6f4010
> >>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709055
> >>>>>> ArgusNewSource(0x7f1ddfd42010) returning 0x7f1dde6f4010
> >>>>>> argus[2592.0047dcdf1d7f0000]: 1 Mar 14 02:13:45.709073 ArgusCalloc
> >>>>>> (1,
> >>>>>> 336) returning 0x15340f0
> >>>>>> argus[2592.0047dcdf1df0000]: 31 ar 14 02:13:45.709087 ArgusCalloc
> >>>>>> (1,
> >>>>>> 152) returning 0x1534b60
> >>>>>> argus[2592.0047dcdf1d7f0000: 31 Mar 14 02:13:45.709098 ArgusNewQueue
> >>>>>> ()
> >>>>>> returning 0x1534b60
> >>>>>> argus[2592.0047dcdf1d70000]: 31 Mar 14 02:13:45.709110 ArgusCalloc
> >>>>>> (1,
> >>>>> 152) returning 0x1534c00
> >>>>>> rgus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709121 ArgusNewList
> >>>>>> ()
> >>>>>> returnin 0x1534c00
> >>>>>> argus[2592.0047ddf1d7f0000]: 31 Mar 14 02:13:45.709131 ArgusCalloc
> >>>>>> (1
> >>>>>> 152) returning 0x1534ca0
> >>>>>> argus[292.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709141 ArgusNewLit
> >>>>>> ()
> >>>>>> returning 0x1534ca0
> >>>>>> argus[2592.0047dcdf17f0000]: 31 Mar 14 02:13:45709150
> >>>>>> ArgusNewOutput()
> >>>>>> returning retn 0x15340f0
> >>>>>> argus[259.0047dcdf1d7f0000]: 31Mar 14 02:13:45.709171
> >>>>>> setArgusMarReportInterval(60) returnng
> >>>>>> argus[2592.047dcdf1d7f0000]: 31 Mar 14 02:13:45.709252
> >>>>>> clearArgusDevice(0x7f1dde6f4010) returning
> >>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mr 14 02:13:45.709270 ArgusCalloc
> >>>>>> (1,
> >>>>>> 152) returning 0x1534f80
> >>>>>> argus[2592.007dcdf1d7f0000]: 31 Mar 14 02:13:45.709284 ArgusNewList
> >>>>>> ()
> >>>>>> returning 0x1534f80
> >>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709303 ArgusCalloc
> >>>>>> (1,
> >>>>>> 64) returning 0x1535020
> >>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.79317
> >>>>>> ArgusPushFrontList
> >>>>>> (0x1534f80, 0x1535020, 1) returning 0xa20
> >>>>>> argus[2592.0047dcd1d7f0000]: 31 Mar 14 02:13:45.709331
> >>>>>> setArgusDevice(dna0) returning
> >>>>>> argus[2592.0047dcdf1d7f000]: 31 Mar 14 02:13:45.709345
> >>>>>> ArgusDeleteList
> >>>>>> ((nil), 2) returning
> >>>>>> argus[2592.0047dcf1d7f0000]: 31 Mar 14 02:13:45.709356 ArgusCalloc
> >>>>>> (1,
> >>>>>> 152) returning 0x1535090
> >>>>>> argus[292.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709366 ArgusNewList
> >>>>>> ()
> >>>>>> returning 0x1535090
> >>>>>> arus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709376 ArgusCalloc
> >>>>>> (1,
> >>>>>> 24) returning 0x1534250
> >>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709386
> >>>>> ArgusPushFrontList
> >>>>>> (0x1535090, 0x1534250, 1) returning 0xa20
> >>>>>> argus[2592.0047dcf1d7f0000]: 31 Mar 14 02:13:45.709403
> >>>>>> setArgusMarReportInterval(60) returning
> >>>>>> arus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709440
> >>>>>> ArgusParseResourceFile (/etc/argus.conf) returning
> >>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709469 ArgusFree
> >>>>>> (0x1535020)
> >>>>>> argu[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709480
> >>>>>> clearArgusDevice(0x7f1dde6f4010) returning
> >>>>>> agus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709493 ArgusCalloc
> >>>>>> (1,
> >>>>>> 64) returning 0x1535020>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709503
> >>>>>> ArgusPushFrontList
> >>>>> (0x1534f80, 0x1535020, 1) returning 0xa20
> >>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 2:13:45.709514
> >>>>>> setArgusDevice(dna0 ) returning
> >>>>>> argus[2592.0047dcdf1d7f0000]: 31 ar 14 02:13:45.709526
> >>>>>> ArgusDeleteList
> >>>>>> (0x1535090, 2) 1 items on list
> >>>>>> argus[2592.0047dcdfd7f0000]: 31 Mar 14 02:13:45.709537 ArgusFree
> >>>>>> (0x1534250)
> >>>>>> argus[2592.0047dcdfd7f0000]: 31 Mar 14 02:13:45.709549 ArgusFree
> >>>>>> (0x1535090)
> >>>>>> argus[2592.0047dcdf1d7f000]: 31 Mar 14 02:13:45.709559
> >>>>>> ArgusDeleteList
> >>>>>> (0x1535090, 2) returning
> >>>>>> argus[2592.047dcdf1d7f0000]: 31 Mar 14 02:13:45.709569 ArgusCalloc
> >>>>>> (1,
> >>>>>> 152) returning 0x1535090
> >>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709579 ArgusNewList
> >>>>>> ()
> >>>>>> returning 0x1535090
> >>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709588 ArgusCalloc
> >>>>>> (1,
> >>>>>> 24) returning 0x1534250
> >>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709598
> >>>>>> ArgusPushFrontList
> >>>>>> (0x1535090, 0x1534250, 1) returning 0xa20
> >>>>>> argus[2592.0047dcdf1d7f0000]: 31 Mar 14 02:13:45.709609
> >>>>>> setArgusInterfaceStatus(0x7f1dde6f4010, 1)
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Here is output from /var/log/messages:
> >>>>>>
> >>>>>> Mar 31 02:13:45 argus argus[2593]: 31 Mar 14 02:13:45.709952 started
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.710271 ArgusCalloc (1, 592056) returning 0x7f1ddfcb1010
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.725031 ArgusCalloc (1, 128) returning 0x15de1d0
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.725074 getArgusID(0x7f1dde6f4010) done
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.725094 getArgusIDType(0x7f1dde6f4010) done
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.725113 ArgusGenerateInitialMar() returning
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.725132 ArgusCalloc (1, 168) returning 0x15de260
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.725447 ArgusCalloc (1, 262256) returning 0x7f1ddfc70010
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.725472 ArgusCalloc (1, 152) returning 0x15de310
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.725489 ArgusNewList () returning 0x15de310
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.725506 ArgusNewSocket (4) returning 0x7f1ddfc70010
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.725548 ArgusPushBackList (0x1535090, 0x1534250, 1) returning
> >>>>>> 1
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.725567 ArgusDeleteList (0x1535090, 2) 1 items on list
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.725581 ArgusFree (0x1534250)
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.725597 ArgusFree (0x1535090)
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.725610 ArgusDeleteList (0x1535090, 2) returning
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.725714 ArgusInitOutput() done
> >>>>>> Mar 31 02:13:45 argus argus[2593]: 31 Mar 14 02:13:45.725789 started
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.725794 ArgusOutputProcess(0x15340f0) starting
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.725923 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.725941 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.725807 ArgusCreatePIDFile(/var/run, argus) pidpath is
> >>>>>> /var/run
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.726043 ArgusPushFrontList (0x1534f80, 0x1535020, 1)
> >>>>>> returning
> >>>>>> 0xa21
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.726063 getArgusDevice(0x7f1dde6f4010) returning dna0
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.726606 ArgusCreatePIDFile(/var/run, argus) returning
> >>>>>> /var/run/argus.dna0.0.pid
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.726651 ArgusCalloc (1, 4237776) returning 0x7f1ddd6da010
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.726670 ArgusCalloc (1, 152) returning 0x1535090
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.726684 ArgusNewList () returning 0x1535090
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.726704 ArgusCloneSource(0x7f1dde6f4010) returning
> >>>>>> 0x7f1ddd6da010
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.726733 clearArgusDevice(0x7f1ddd6da010) returning
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.726757 ArgusPushBackList (0x1535090, 0x1535020, 1) returning
> >>>>>> 1
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.747151 ArgusOpenInterface() pcap_open_live(dna0) returned
> >>>>>> 0x15de4f0
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.754761 Arguslookup_pcap_callback(1) returning 0x412896
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.754790 ArgusOpenInterface(0x7f1ddd6da010, 'dna0') returning
> >>>>>> 1
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.754807 ArgusPushBackList (0x1535090, 0x1535020, 1) returning
> >>>>>> 1
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.754945 ArgusCalloc (1, 525016) returning 0x7f1ddd3bd010
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.755740 ArgusCalloc (1, 64) returning 0x15e1800
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.755778 ArgusCalloc (65536, 8) returning 0x7f1ddd33c010
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.755793 ArgusNewHashTable (65536) returning 0x15e1800
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.755807 ArgusCalloc (1, 104) returning 0x15e1850
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.755820 ArgusCalloc (1, 152) returning 0x15e18c0
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.755834 ArgusNewQueue () returning 0x15e18c0
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.755847 ArgusCalloc (1, 152) returning 0x15e1960
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.755859 ArgusNewQueue () returning 0x15e1960
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.755871 ArgusCalloc (1, 112) returning 0x15e1a00
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.755934 ArgusCalloc (1, 40) returning 0x15e1a80
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.755958 ArgusCalloc (1, 80) returning 0x15e1ab0
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.755982 ArgusCalloc (1, 1096) returning 0x15e1b10
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756011 ArgusCalloc (1, 1096) returning 0x15e1f60
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756038 ArgusCalloc (1, 1096) returning 0x15e23b0
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756066 ArgusCalloc (1, 1096) returning 0x15e2800
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756094 ArgusCalloc (1, 1096) returning 0x15e2c50
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756113 ArgusCalloc (1, 1096) returning 0x15e30a0
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756126 ArgusCalloc (1, 1096) returning 0x15e34f0
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756146 ArgusCalloc (1, 1096) returning 0x15e3940
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756167 ArgusCalloc (1, 1096) returning 0x15e3d90
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756195 ArgusCalloc (1, 1096) returning 0x15e41e0
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756219 ArgusCalloc (1, 1096) returning 0x15e4630
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756243 ArgusCalloc (1, 1096) returning 0x15e4a80
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756276 ArgusCalloc (1, 1096) returning 0x15e4ed0
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756301 ArgusCalloc (1, 1096) returning 0x15e5320
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756319 ArgusCalloc (1, 1096) returning 0x15e5770
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756334 ArgusCalloc (1, 1096) returning 0x15e5bc0
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756358 ArgusCalloc (1, 1096) returning 0x15e6010
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756384 ArgusCalloc (1, 1096) returning 0x15e6460
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756412 ArgusCalloc (1, 1096) returning 0x15e68b0
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756427 ArgusCalloc (1, 1096) returning 0x15e6d00
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756447 ArgusInitMallocList (1048) returning
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756469 ArgusInitModeler(0x7f1ddd3bd010) done
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.0047dcdf1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756501 ArgusInitSource(0x7f1ddd6da010) returning 1
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756655 ArgusGetPackets (0x7f1ddd6da010) starting
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756747 ArgusPushFrontList (0x1535090, 0x1535020, 1)
> >>>>>> returning
> >>>>>> 0xa23
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.756810 setArgusInterfaceStatus(0x7f1ddd6da010, 1)
> >>>>>> Mar 31 02:13:45 argus argus[2593]: 31 Mar 14 02:13:45.756854
> >>>>>> ArgusGetInterfaceStatus: interface dna0 is up
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.757200 ArgusGetPackets: interface dna0 is selectable
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.757233 setArgusInterfaceStatus(0x7f1ddd6da010, 1)
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.826041 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.826082 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.826097 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.826110 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.826122 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.926225 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.926264 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.926279 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.926292 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.926305 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.957631 ArgusUpdateTime (0x7f1ddd3bd010) global time
> >>>>>> 1396250025.957628 update 1396250026.157628 returning 1
> >>>>>> Mar 31 02:13:45 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:45.957676 ArgusPushFrontList (0x1535090, 0x1535020, 1)
> >>>>>> returning
> >>>>>> 0xa23
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.026405 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.026445 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.026460 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.026472 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.026485 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.126605 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.126644 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.126659 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.126671 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.126684 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.158386 ArgusUpdateTime (0x7f1ddd3bd010) global time
> >>>>>> 1396250026.158385 update 1396250026.357628 returning 1
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.158427 ArgusPushFrontList (0x1535090, 0x1535020, 1)
> >>>>>> returning
> >>>>>> 0xa23
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.226786 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.226825 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.226843 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.226862 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.226896 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.327003 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.327042 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.327056 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.327069 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.327081 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.359104 ArgusUpdateTime (0x7f1ddd3bd010) global time
> >>>>>> 1396250026.359103 update 1396250026.557628 returning 1
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.359145 ArgusPushFrontList (0x1535090, 0x1535020, 1)
> >>>>>> returning
> >>>>>> 0xa23
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.427189 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.427229 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.427243 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.427256 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.427268 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.527381 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.527420 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.527434 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.527447 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.527459 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.559826 ArgusUpdateTime (0x7f1ddd3bd010) global time
> >>>>>> 1396250026.559825 update 1396250026.757628 returning 1
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.559880 ArgusPushFrontList (0x1535090, 0x1535020, 1)
> >>>>>> returning
> >>>>>> 0xa23
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.627571 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.627610 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.627625 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.627638 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.627652 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.727765 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.727804 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.727819 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.727836 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.727849 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.760559 ArgusUpdateTime (0x7f1ddd3bd010) global time
> >>>>>> 1396250026.760557 update 1396250026.957628 returning 1
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.760600 ArgusPushFrontList (0x1535090, 0x1535020, 1)
> >>>>>> returning
> >>>>>> 0xa23
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.827946 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.827985 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.828000 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.828013 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.828026 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.928138 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.928177 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.928192 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.928205 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.928217 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.961354 ArgusUpdateTime (0x7f1ddd3bd010) global time
> >>>>>> 1396250026.961353 update 1396250027.157628 returning 1
> >>>>>> Mar 31 02:13:46 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:46.961398 ArgusPushFrontList (0x1535090, 0x1535020, 1)
> >>>>>> returning
> >>>>>> 0xa23
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.028316 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.028355 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.028370 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.028383 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.028395 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.128499 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.128538 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.128553 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.128568 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.128580 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.162074 ArgusUpdateTime (0x7f1ddd3bd010) global time
> >>>>>> 1396250027.162073 update 1396250027.357628 returning 1
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.162115 ArgusPushFrontList (0x1535090, 0x1535020, 1)
> >>>>>> returning
> >>>>>> 0xa23
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.228679 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.228718 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.228737 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.228750 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.228762 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.328888 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.328927 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.328942 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.328955 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.328968 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.362797 ArgusUpdateTime (0x7f1ddd3bd010) global time
> >>>>>> 1396250027.362795 update 1396250027.557628 returning 1
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.362837 ArgusPushFrontList (0x1535090, 0x1535020, 1)
> >>>>>> returning
> >>>>>> 0xa23
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.429068 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.429107 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.429122 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.429135 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.429147 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.529254 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.529293 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.529307 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.529320 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.529333 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.563527 ArgusUpdateTime (0x7f1ddd3bd010) global time
> >>>>>> 1396250027.563526 update 1396250027.757628 returning 1
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.563569 ArgusPushFrontList (0x1535090, 0x1535020, 1)
> >>>>>> returning
> >>>>>> 0xa23
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.629436 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.629475 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.629489 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.629502 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.629515 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.729622 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.729662 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.729676 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.729689 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.729702 ArgusOutputProcess() waiting for input list
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.764263 ArgusUpdateTime (0x7f1ddd3bd010) global time
> >>>>>> 1396250027.764262 update 1396250027.957628 returning 1
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00b733dd1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.764304 ArgusPushFrontList (0x1535090, 0x1535020, 1)
> >>>>>> returning
> >>>>>> 0xa23
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.829810 ArgusOutputStatusTime(0x15340f0) done
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.829849 ArgusOutputProcess() checking out clients
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.829863 ArgusOutputProcess() done with clients
> >>>>>> Mar 31 02:13:47 argus argus[2593]: argus[2593.00574ede1d7f0000]: 31
> >>>>>> Mar
> >>>>>> 14
> >>>>>> 02:13:47.829890 ArgusOutputProcess() looping
> >>>>>> Mar 31 02:13:47 argus rsyslogd-2177: imuxsock begins to drop
> >>>>>> messages
> >>>>>> from
> >>>>>> pid 2593 due to rate-limiting
> >>>>>> Mar 31 02:13:51 argus rsyslogd-2177: imuxsock lost 188 messages from
> >>>>>> pid
> >>>>>> 2593 due to rate-limiting
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Then everything after ?ArgusGetPackets: interface dna0 is selectable"
> >>>>>> repeats over and over again.
> >>>>>>
> >>>>>> Not sure if this confirms or refutes your previous statement.
> >>>>>>
> >>>>>> -Jeff
> >>>>>>
> >>>>>> On 3/30/14, 12:14 PM, "Carter Bullard" <carter at qosient.com> wrote:
> >>>>>>
> >>>>>>> Jeffrey,
> >>>>>>> Did you create the .debug file in the argus home directory ?? This
> >>>>>>> turns
> >>>>>>> on
> >>>>>>> debug information generation. If you didn?t do this then:
> >>>>>>>
> >>>>>>> % touch .debug
> >>>>>>> % ./configure;make clean;make
> >>>>>>>
> >>>>>>> Seems like a lot of ARGUS_CAPTURE_DATA_LEN ?? I would recommend
> >>>>>>> something like 128, or 256 ???
> >>>>>>>
> >>>>>>> I suspect that the PF_RING stuff doesn?t work with select(), and
> >>>>>>> we?re
> >>>>>>> sitting
> >>>>>>> on a select() waiting to be notified that a packet is available to
> >>>>>>> read.
> >>>>>>> Your
> >>>>>>> debug information should tell us if it thinks the interface is
> >>>>>>> selectable
> >>>>>>> or not.
> >>>>>>>
> >>>>>>> Carter
> >>>>>>>
> >>>>>>> On Mar 30, 2014, at 12:45 PM, Reynolds, Jeffrey
> >>>>>>> <JReynolds at utdallas.edu>
> >>>>>>> wrote:
> >>>>>>>
> >>>>>>>> Ok, I?ve recompiled 3.0.7.5 from unmodified source. I?m running
> >>>>>>>> with
> >>>>>>>> the
> >>>>>>>> following config file options:
> >>>>>>>>
> >>>>>>>> ARGUS_FLOW_TYPE="Bidirectional"
> >>>>>>>> ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
> >>>>>>>> ARGUS_DAEMON=yes
> >>>>>>>> ARGUS_INTERFACE=dna0
> >>>>>>>> ARGUS_OUTPUT_FILE=/var/data/argus-out
> >>>>>>>> ARGUS_SET_PID=yes
> >>>>>>>> ARGUS_PID_PATH="/var/run"
> >>>>>>>> ARGUS_FLOW_STATUS_INTERVAL=5
> >>>>>>>> ARGUS_MAR_STATUS_INTERVAL=60
> >>>>>>>> ARGUS_DEBUG_LEVEL=8
> >>>>>>>> ARGUS_GENERATE_RESPONSE_TIME_DATA=yes
> >>>>>>>> ARGUS_GENERATE_MAC_DATA=yes
> >>>>>>>> ARGUS_CAPTURE_DATA_LEN=1500
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> After running:
> >>>>>>>>
> >>>>>>>> argus -F argus.conf
> >>>>>>>>
> >>>>>>>> I?m still getting 128 byte argus-out files, but I?m not seeing any
> >>>>>>>> debug
> >>>>>>>> information. However, /var/log/messages now shows the interface
> >>>>>>>> coming
> >>>>>>>> up
> >>>>>>>> more in line with the what I?d expect:
> >>>>>>>>
> >>>>>>>> Mar 30 05:21:29 argus argus[31395]: 30 Mar 14 05:21:29.114830
> >>>>>>>> started
> >>>>>>>> Mar 30 05:21:29 argus argus[31395]: 30 Mar 14 05:21:29.130717
> >>>>>>>> started
> >>>>>>>> Mar 30 05:21:29 argus argus[31395]: 30 Mar 14 05:21:29.156439
> >>>>>>>> ArgusGetInterfaceStatus: interface dna0 is up
> >>>>>>>> Mar 30 05:21:46 argus argus[31395]: 30 Mar 14 05:21:46.418902
> >>>>>>>> stopped
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> I checked ifconfig, and it claims that dna0 is running in PROMISC
> >>>>>>>> mode.
> >>>>>>>> It?s strange that I?m not seeing any debug info at the command
> >>>>>>>> line
> >>>>>>>> of
> >>>>>>>> in
> >>>>>>>> /var/log/messages. I?ve tried specifying it in the config file
> >>>>>>>> and
> >>>>>>>> at
> >>>>>>>> the
> >>>>>>>> command line, but I haven?t sen any additional output. Perhaps I
> >>>>>>>> didn?t
> >>>>>>>> have one of the dependencies installed when I ran the configure
> >>>>>>>> script,
> >>>>>>>> and something isn?t working properly? Also, I see that libpcap
> >>>>>>>> can
> >>>>>>>> be
> >>>>>>>> recompiled with PF_Ring support. Maybe I?ve missed something
> >>>>>>>> obvious
> >>>>>>>> here, but as Argus seems to depend on libpcap, do I need to
> >>>>>>>> recompile
> >>>>>>>> it
> >>>>>>>> with PF_Ring capabilities?
> >>>>>>>>
> >>>>>>>> -Jeff
> >>>>>>>>
> >>>>>>>> On 3/29/14, 10:00 AM, "Carter Bullard" <carter at qosient.com> wrote:
> >>>>>>>>
> >>>>>>>>> Hey Jeffery,
> >>>>>>>>> Sorry for the delayed response... and thanks Craig for taking
> >>>>>>>>> the
> >>>>>>>>> thread
> >>>>>>>>> !!! The 128 byte records are management records, which are
> >>>>>>>>> basically
> >>>>>>>>> keep alive like status messages for down stream readers of data.
> >>>>>>>>> They
> >>>>>>>>> indicate that the sensor is alive.
> >>>>>>>>>
> >>>>>>>>> But you definately aren't getting any packets from the
> >>>>>>>>> interfaces.
> >>>>>>>>>
> >>>>>>>>> You
> >>>>>>>>> shouldn't need to modify the source for this to work. I'm pretty
> >>>>>>>>> sure
> >>>>>>>>> Craig doesn't modify his. So with a standard release, run argus
> >>>>>>>>> the
> >>>>>>>>> way
> >>>>>>>>> you think you should with the -D8 option, so we can see what is
> >>>>>>>>> up
> >>>>>>>>> for
> >>>>>>>>> 5-10 seconds or so, and send the output to the list.
> >>>>>>>>>
> >>>>>>>>> We should see a statement that the interface is up. We need to
> >>>>>>>>> get
> >>>>>>>>> that
> >>>>>>>>> far before we'll try to read packets.
> >>>>>>>>>
> >>>>>>>>> Carter
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>> On Mar 28, 2014, at 3:42 PM, "Reynolds, Jeffrey"
> >>>>>>>>>> <JReynolds at utdallas.edu> wrote:
> >>>>>>>>>>
> >>>>>>>>>> Ok, I?m almost sure there are issues with Argus and the code I?ve
> >>>>>>>>>> modified. To rehash, I?ve changed line grabbed argus-3.0.7.5
> >>>>>>>>>> and
> >>>>>>>>>> I?ve
> >>>>>>>>>> chagned the following line in argus/ArgusSource.c
> >>>>>>>>>>
> >>>>>>>>>> 4331
> >>>>>>>>>>
> >>>>>>>>>> - if ((strstr(device->name, "dag")) || (strstr(device->name,
> >>>>>>>>>> "napa"))) {
> >>>>>>>>>>
> >>>>>>>>>> + if (strstr(device->name, "dag") || strstr(device->name, "nap")
> >>>>>>>>>> ||
> >>>>>>>>>> strstr(device->name, "dna") || (strstr(device->name, "eth") &&
> >>>>>>>>>> strstr(device->name, "@"))) {
> >>>>>>>>>>
> >>>>>>>>>> I?ve also tried:
> >>>>>>>>>>
> >>>>>>>>>> + if ((strstr(device->name, "dag")) || (strstr(device->name,
> >>>>>>>>>> "nap"))
> >>>>>>>>>> ||
> >>>>>>>>>> (strstr(device->name, "dna")) || (strstr(device->name, "eth") &&
> >>>>>>>>>> strstr(device->name, "@"))) {
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> As I wasn?t sure if the paren the strstr statements had to be
> >>>>>>>>>> enclosed
> >>>>>>>>>> in
> >>>>>>>>>> their own set of parens. Anyway, in both instances, I?ll try to
> >>>>>>>>>> run
> >>>>>>>>>> Argus
> >>>>>>>>>> and wind up with a 128 byte file. For example:
> >>>>>>>>>>
> >>>>>>>>>> $ argus -i dna0 -w /var/data/argus-out -s 1500
> >>>>>>>>>> (wait about 20 seconds)
> >>>>>>>>>> $ ls -l /var/data
> >>>>>>>>>> -rw-r--r--. 1 argus argus 128 Mar 28 07:46 argus-out
> >>>>>>>>>>
> >>>>>>>>>> When I run with the vanilla drivers, and my interface is not
> >>>>>>>>>> ?dna0?
> >>>>>>>>>> but
> >>>>>>>>>> ?em1?, then I get better results.
> >>>>>>>>>>
> >>>>>>>>>> # rmmod ixgbe
> >>>>>>>>>> # modprobe ixgbe #pulling from /lib/modules/`uname -r`
> >>>>>>>>>>
> >>>>>>>>>> $ rm argus-out
> >>>>>>>>>> rm: remove regular file `argus-out'? y
> >>>>>>>>>> $ argus -i em1 -w /var/data/argus-out -s 1500
> >>>>>>>>>> (wait about 20 seconds)
> >>>>>>>>>> $ ls -l /var/data
> >>>>>>>>>> -rw-r--r--. 1 argus argus 2392260 Mar 28 07:46 argus-out
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> The real kicker seems to be in /var/log/messages. When running
> >>>>>>>>>> argus
> >>>>>>>>>> on
> >>>>>>>>>> em1 with the original ixgbe driver, I get the following output in
> >>>>>>>>>> /var/log/messages:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> Mar 28 05:14:52 argus argus[23142]: 28 Mar 14 05:14:52.865660
> >>>>>>>>>> started
> >>>>>>>>>> Mar 28 05:14:52 argus argus[23142]: 28 Mar 14 05:14:52.882755
> >>>>>>>>>> started
> >>>>>>>>>> Mar 28 05:14:52 argus kernel: device em1 entered promiscuous mode
> >>>>>>>>>> Mar 28 05:14:52 argus argus[23142]: 28 Mar 14 05:14:52.932220
> >>>>>>>>>> ArgusGetInterfaceStatus: interface em1 is up
> >>>>>>>>>> Mar 28 05:15:18 argus argus[23142]: 28 Mar 14 05:15:18.812342
> >>>>>>>>>> stopped
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> However, when running with the DNA driver, the output is as
> >>>>>>>>>> follows:
> >>>>>>>>>>
> >>>>>>>>>> Mar 28 08:33:16 argus argus[23915]: 28 Mar 14 08:33:16.967530
> >>>>>>>>>> started
> >>>>>>>>>> Mar 28 08:33:16 argus argus[23915]: 28 Mar 14 08:33:16.985055
> >>>>>>>>>> started
> >>>>>>>>>> Mar 28 08:33:50 argus argus[23915]: 28 Mar 14 08:33:50.667199
> >>>>>>>>>> stopped
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> Now the interface is in promiscuous mode, I can see the change in
> >>>>>>>>>> received
> >>>>>>>>>> packets rising considerably by just running ifconfig a few
> >>>>>>>>>> times.
> >>>>>>>>>> I
> >>>>>>>>>> think
> >>>>>>>>>> that for whatever reason, the function in Argus that outputs the
> >>>>>>>>>> ?ArgusGetInterfaceStatus? line isn?t correctly interpreting dna0
> >>>>>>>>>> as
> >>>>>>>>>> an
> >>>>>>>>>> appropriate interface.
> >>>>>>>>>>
> >>>>>>>>>> Does any of this sound remotely possible?
> >>>>>>>>>>
> >>>>>>>>>> -Jeff
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>> On 3/27/14, 7:23 PM, "Craig Merchant" <cmerchant at responsys.com>
> >>>>>>>>>>> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>> Hey, Jeffrey...
> >>>>>>>>>>>
> >>>>>>>>>>> The configuration questions for the pf_ring and ixgbe drivers
> >>>>>>>>>>> may
> >>>>>>>>>>> be
> >>>>>>>>>>> better answered on the ntop forums... But I'll do my best.
> >>>>>>>>>>> Here
> >>>>>>>>>>> is
> >>>>>>>>>>> how
> >>>>>>>>>>> I load the drivers:
> >>>>>>>>>>>
> >>>>>>>>>>> insmod /lib/modules/2.6.32-220.el6.x86_64/updates/pf_ring.ko
> >>>>>>>>>>> /sbin/modprobe ixgbe MQ=0,0 RSS=1,1 num_rx_slots=32768
> >>>>>>>>>>>
> >>>>>>>>>>> ifconfig dna0 up promisc
> >>>>>>>>>>> ethtool -K dna0 tso off
> >>>>>>>>>>> ethtool -K dna0 gro off
> >>>>>>>>>>> ethtool -K dna0 lro off
> >>>>>>>>>>> ethtool -K dna0 gso off
> >>>>>>>>>>> ethtool -G dna0 tx 32768
> >>>>>>>>>>> ethtool -G dna0 rx 32768
> >>>>>>>>>>>
> >>>>>>>>>>> One thing I'm not clear on from your config is why you are using
> >>>>>>>>>>> pfdnacluster_master at all... That daemon is designed to split
> >>>>>>>>>>> up
> >>>>>>>>>>> flows
> >>>>>>>>>>> and/or make copies of them to distribute to other applications.
> >>>>>>>>>>>
> >>>>>>>>>>> I
> >>>>>>>>>>> don't
> >>>>>>>>>>> think it's meant to aggregate two interfaces into one stream.
> >>>>>>>>>>> Normally
> >>>>>>>>>>> it's run with a -n parameter to tell it how many queues you want
> >>>>>>>>>>> traffic
> >>>>>>>>>>> divided up into. We use:
> >>>>>>>>>>>
> >>>>>>>>>>> pfdnacluster_master -d -c 10 -n 28,1 -m 0 -i dna0
> >>>>>>>>>>>
> >>>>>>>>>>> In this case, -n says "divide up one copy of the traffic into 28
> >>>>>>>>>>> queues"
> >>>>>>>>>>> and "create one copy of all the traffic on the last queue".
> >>>>>>>>>>> The
> >>>>>>>>>>> apps
> >>>>>>>>>>> accessing the first 28 queues (Snort) would connect to
> >>>>>>>>>>> dnacluster:10 at 0
> >>>>>>>>>>> -
> >>>>>>>>>>> dnacluster:10 at 27. Argus connects to dnacluster:10 at 28 and
> >>>>>>>>>>> would
> >>>>>>>>>>> see
> >>>>>>>>>>> a
> >>>>>>>>>>> copy of all of the traffic.
> >>>>>>>>>>>
> >>>>>>>>>>> If all you are looking to do is combine traffic from two
> >>>>>>>>>>> interfaces
> >>>>>>>>>>> into
> >>>>>>>>>>> one, why not just run argus with -i dna0,dna1?
> >>>>>>>>>>>
> >>>>>>>>>>> For testing, I would try the following to see where you might
> >>>>>>>>>>> be
> >>>>>>>>>>> having
> >>>>>>>>>>> problems:
> >>>>>>>>>>>
> >>>>>>>>>>> pfcount -i dna0
> >>>>>>>>>>> pfcount -i dna1
> >>>>>>>>>>> pfcount -i dna0,dna1
> >>>>>>>>>>> pfcount -i dnacluster:10
> >>>>>>>>>>> pfcount -i dnacluster:10 at 0
> >>>>>>>>>>>
> >>>>>>>>>>> Let me know if that helps...
> >>>>>>>>>>>
> >>>>>>>>>>> Craig
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> -----Original Message-----
> >>>>>>>>>>> From: Reynolds, Jeffrey [mailto:JReynolds at utdallas.edu]
> >>>>>>>>>>> Sent: Thursday, March 27, 2014 3:18 PM
> >>>>>>>>>>> To: Craig Merchant; Carter Bullard
> >>>>>>>>>>> Cc: Argus
> >>>>>>>>>>> Subject: Re: [ARGUS] Multi-Instanced Argus
> >>>>>>>>>>>
> >>>>>>>>>>> So I understand this is from a while ago, but here is what I
> >>>>>>>>>>> have.
> >>>>>>>>>>> Craig, maybe you can show me how I'm doing it wrong.
> >>>>>>>>>>>
> >>>>>>>>>>> I finally got PF_Ring and libzero licensed correctly so that
> >>>>>>>>>>> pfdnacluster
> >>>>>>>>>>> isn't limited to 5 minutes of capture. I downloaded the Argus
> >>>>>>>>>>> source,
> >>>>>>>>>>> installed the dependencies, and compiled after making the
> >>>>>>>>>>> change
> >>>>>>>>>>> you
> >>>>>>>>>>> noted below. However, I don't seem to be properly attaching
> >>>>>>>>>>> argus
> >>>>>>>>>>> to
> >>>>>>>>>>> my
> >>>>>>>>>>> devices to allow it to capture. I have a feeling its something
> >>>>>>>>>>> to
> >>>>>>>>>>> do
> >>>>>>>>>>> with my PF_Ring or dna-ixgbe conf files. We have two
> >>>>>>>>>>> interfaces
> >>>>>>>>>>> to
> >>>>>>>>>>> monitor, which I've previously combined into one by using
> >>>>>>>>>>> pfdnacluster_master. However, it looks like I can't get Argus
> >>>>>>>>>>> to
> >>>>>>>>>>> hook
> >>>>>>>>>>> into that or a single dan interface. Anyway, after make
> >>>>>>>>>>> installing,
> >>>>>>>>>>> I
> >>>>>>>>>>> run the following command with the following result:
> >>>>>>>>>>>
> >>>>>>>>>>> #pfdnacluster_master -i dna0,dna1 -c 10
> >>>>>>>>>>> #argus -i dnacluster:10 -s 1500 -w /var/data/argus-out
> >>>>>>>>>>>
> >>>>>>>>>>> My /var/log/messages says that the specified interface doesn't
> >>>>>>>>>>> exist,
> >>>>>>>>>>> which I kind of expected.
> >>>>>>>>>>> So I tried this (without pfdnacluster running):
> >>>>>>>>>>>
> >>>>>>>>>>> #argus -i dna0 -s 1500 -w /var/data/argus-out
> >>>>>>>>>>>
> >>>>>>>>>>> This time argus appears to have started, but my output file is
> >>>>>>>>>>> not
> >>>>>>>>>>> growing (it initial starts at 128 bytes and increases by that
> >>>>>>>>>>> same
> >>>>>>>>>>> amount
> >>>>>>>>>>> every 30 seconds or so).
> >>>>>>>>>>>
> >>>>>>>>>>> In case this happens to be the parameters I'm loading with my
> >>>>>>>>>>> kernel
> >>>>>>>>>>> modules, here they are:
> >>>>>>>>>>>
> >>>>>>>>>>> pf_ring.ko transparenet_mode=2
> >>>>>>>>>>> (I've also tried 0, with similar results) ixgbe.ko RSS=1,1,1,1
> >>>>>>>>>>> (I
> >>>>>>>>>>> wasn't
> >>>>>>>>>>> seeing all of the traffic from my interfaces with the default
> >>>>>>>>>>> config,
> >>>>>>>>>>> the
> >>>>>>>>>>> ntop folks recommended this, I need to dig further into the
> >>>>>>>>>>> docs
> >>>>>>>>>>> to
> >>>>>>>>>>> learn
> >>>>>>>>>>> more about these parameters).
> >>>>>>>>>>>
> >>>>>>>>>>> To answer your original question, I'm only monitoring about
> >>>>>>>>>>> ~2Gbps,
> >>>>>>>>>>> significantly less then you are. I'm not sure if what I've
> >>>>>>>>>>> noticed
> >>>>>>>>>>> would
> >>>>>>>>>>> be considered "gaps", but we do see exchanges where the server
> >>>>>>>>>>> appears
> >>>>>>>>>>> to
> >>>>>>>>>>> initiate conversations by sending a response to a client, which
> >>>>>>>>>>> the
> >>>>>>>>>>> client doesn't appear to have requested. I'm guess the missing
> >>>>>>>>>>> request
> >>>>>>>>>>> was most likely a packet that didn't get captured.
> >>>>>>>>>>>
> >>>>>>>>>>> Any configuration suggestions would be much appreciated.
> >>>>>>>>>>>
> >>>>>>>>>>> Thanks,
> >>>>>>>>>>>
> >>>>>>>>>>> Jeff
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> From: Craig Merchant
> >>>>>>>>>>> <cmerchant at responsys.com<mailto:cmerchant at responsys.com>>
> >>>>>>>>>>> Date: Wednesday, March 12, 2014 at 6:39 PM
> >>>>>>>>>>> To: Carter Bullard
> >>>>>>>>>>> <carter at qosient.com<mailto:carter at qosient.com>>,
> >>>>>>>>>>> Jeff
> >>>>>>>>>>> Reynolds <jjr140030 at utdallas.edu<mailto:jjr140030 at utdallas.edu>>
> >>>>>>>>>>> Cc: Argus
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> <argus-info at lists.andrew.cmu.edu<mailto:argus-info at lists.andrew.c
> >>>>>>>>>>> m
> >>>>>>>>>>> u.
> >>>>>>>>>>> ed
> >>>>>>>>>>> u>
> >>>>>>>>>>>>
> >>>>>>>>>>> Subject: RE: [ARGUS] Multi-Instanced Argus
> >>>>>>>>>>>
> >>>>>>>>>>> We're running Argus and Snort of PF_RING's DNA/Libzero drivers.
> >>>>>>>>>>>
> >>>>>>>>>>> We
> >>>>>>>>>>> decided to use Libzero because the standard DNA drivers limit
> >>>>>>>>>>> the
> >>>>>>>>>>> number
> >>>>>>>>>>> of memory "queues" containing network traffic to 16. Each
> >>>>>>>>>>> queue
> >>>>>>>>>>> can
> >>>>>>>>>>> only
> >>>>>>>>>>> be accessed by a single process and our sensors have 32 cores,
> >>>>>>>>>>> so
> >>>>>>>>>>> we
> >>>>>>>>>>> wouldn't be able to run the maximum number of Snort instances
> >>>>>>>>>>> without
> >>>>>>>>>>> it.
> >>>>>>>>>>>
> >>>>>>>>>>> We use the pfdnaclustermaster app to spread flows across 28
> >>>>>>>>>>> queues
> >>>>>>>>>>> for
> >>>>>>>>>>> snort and also maintain a copy of all flows in a queue for
> >>>>>>>>>>> Argus.
> >>>>>>>>>>>
> >>>>>>>>>>> To get it to work, all I had to do was make a slight edit to
> >>>>>>>>>>> ArgusSource.c so that Argus would recognize DNA/Libzero queues
> >>>>>>>>>>> as a
> >>>>>>>>>>> valid
> >>>>>>>>>>> interface.
> >>>>>>>>>>>
> >>>>>>>>>>> Somewhere around line 4191 (for argus 3.0.7):
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> - if ((strstr(device->name, "dag")) || (strstr(device->name,
> >>>>>>>>>>> "napa"))) {
> >>>>>>>>>>>
> >>>>>>>>>>> + if (strstr(device->name, "dag") || strstr(device->name,
> >>>>>>>>>>> "nap")
> >>>>>>>>>>> ||
> >>>>>>>>>>> + strstr(device->name, "dna") || (strstr(device->name, "eth") &&
> >>>>>>>>>>> + strstr(device->name, "@"))) {
> >>>>>>>>>>>
> >>>>>>>>>>> Our data centers do around 4-8 Gbps 24/7. From what I recall,
> >>>>>>>>>>> there
> >>>>>>>>>>> is
> >>>>>>>>>>> (or was) a bug in PF_RING that caused Argus to run at 100% all
> >>>>>>>>>>> of
> >>>>>>>>>>> the
> >>>>>>>>>>> time, but in my experience Argus wasn't having problems keeping
> >>>>>>>>>>> up
> >>>>>>>>>>> with
> >>>>>>>>>>> our volume of data. We did see an unusually high number of
> >>>>>>>>>>> flows
> >>>>>>>>>>> that
> >>>>>>>>>>> Argus couldn't determine the direction of, but we weren't
> >>>>>>>>>>> seeing
> >>>>>>>>>>> gaps
> >>>>>>>>>>> in
> >>>>>>>>>>> the packets or anything else to suggest that Argus couldn't
> >>>>>>>>>>> handle
> >>>>>>>>>>> the
> >>>>>>>>>>> volume.
> >>>>>>>>>>>
> >>>>>>>>>>> How much traffic are you sending at Argus? Have you tried
> >>>>>>>>>>> searching
> >>>>>>>>>>> your
> >>>>>>>>>>> Argus records for flows that have gaps in them? That would be
> >>>>>>>>>>> a
> >>>>>>>>>>> pretty
> >>>>>>>>>>> good indicator that Argus may have trouble keeping up. Or that
> >>>>>>>>>>> your
> >>>>>>>>>>> SPAN
> >>>>>>>>>>> port can't handle the load...
> >>>>>>>>>>>
> >>>>>>>>>>> Thx.
> >>>>>>>>>>>
> >>>>>>>>>>> Craig
> >>>>>>>>>>>
> >>>>>>>>>>> From:
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> argus-info-bounces+cmerchant=responsys.com at lists.andrew.cmu.edu<m
> >>>>>>>>>>> a
> >>>>>>>>>>> il
> >>>>>>>>>>> to
> >>>>>>>>>>> :a
> >>>>>>>>>>> rg
> >>>>>>>>>>> us-info-bounces+cmerchant=responsys.com at lists.andrew.cmu.edu>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> [mailto:argus-info-bounces+cmerchant=responsys.com at lists.andrew.c
> >>>>>>>>>>> m
> >>>>>>>>>>> u.
> >>>>>>>>>>> ed
> >>>>>>>>>>> u]
> >>>>>>>>>>> On Behalf Of Carter Bullard
> >>>>>>>>>>> Sent: Wednesday, March 12, 2014 1:57 PM
> >>>>>>>>>>> To: Reynolds, Jeffrey
> >>>>>>>>>>> Cc: Argus
> >>>>>>>>>>> Subject: Re: [ARGUS] Multi-Instanced Argus
> >>>>>>>>>>>
> >>>>>>>>>>> Hey Jeffery,
> >>>>>>>>>>> Good so far. This seem like the link for accelerating snort
> >>>>>>>>>>> with
> >>>>>>>>>>> PF_RING DNA ??
> >>>>>>>>>>> http://www.ntop.org/pf_ring/accelerating-snort-with-pf_ring-dna/
> >>>>>>>>>>>
> >>>>>>>>>>> I'm interested in the symmetric RSS and if it works properly.
> >>>>>>>>>>> Are you running the PF_RING DNA DAQ ????
> >>>>>>>>>>>
> >>>>>>>>>>> It would seem that we'll have to modify argus to use this
> >>>>>>>>>>> facility
> >>>>>>>>>>> ???
> >>>>>>>>>>>
> >>>>>>>>>>> Carter
> >>>>>>>>>>>
> >>>>>>>>>>> On Mar 12, 2014, at 3:26 PM, Reynolds, Jeffrey
> >>>>>>>>>>> <JReynolds at utdallas.edu<mailto:JReynolds at utdallas.edu>> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> First, before we dive into to it too deep, how is the
> >>>>>>>>>>> performance
> >>>>>>>>>>> ??
> >>>>>>>>>>>
> >>>>>>>>>>> This actually seems like a great place to start. Before
> >>>>>>>>>>> getting
> >>>>>>>>>>> too
> >>>>>>>>>>> heavy into PF_RING integration, maybe I should offer a bit of
> >>>>>>>>>>> backstory.
> >>>>>>>>>>> Our main goal is just to archive traffic. We have a server
> >>>>>>>>>>> running
> >>>>>>>>>>> CentOS 6 that receives traffic from two SPAN ports. The only
> >>>>>>>>>>> thing
> >>>>>>>>>>> we
> >>>>>>>>>>> want to accomplish is to maintain a copy of that traffic for
> >>>>>>>>>>> some
> >>>>>>>>>>> period
> >>>>>>>>>>> of time. Argus was used because it seemed to be the best tool
> >>>>>>>>>>> for
> >>>>>>>>>>> the
> >>>>>>>>>>> price, and it comes with a lot of great features that while we
> >>>>>>>>>>> may
> >>>>>>>>>>> not
> >>>>>>>>>>> use now, we may use later (again, for right now all we want is
> >>>>>>>>>>> a
> >>>>>>>>>>> copy
> >>>>>>>>>>> of
> >>>>>>>>>>> the traffic to be able to perform forensics on).
> >>>>>>>>>>>
> >>>>>>>>>>> Now, I put up a single instance of Argus and pointed it at the
> >>>>>>>>>>> interface
> >>>>>>>>>>> that was the master of our two bonded physical NICs (eth0 and
> >>>>>>>>>>> eth1
> >>>>>>>>>>> are
> >>>>>>>>>>> bonded to bond0). I let it run for an hour to get some
> >>>>>>>>>>> preliminary
> >>>>>>>>>>> numbers. I ran an recount against my output file and got the
> >>>>>>>>>>> following
> >>>>>>>>>>> stats:
> >>>>>>>>>>>
> >>>>>>>>>>> racount -t 2014y3m12d05h -r argus-out
> >>>>>>>>>>> racount records total_pkts src_pkts dst_pkts total_bytes
> >>>>>>>>>>> src_bytes
> >>>>>>>>>>> dst_bytes sum 14236180 187526800 98831765 88695035 212079839908
> >>>>>>>>>>> 102889789820 109190050088
> >>>>>>>>>>>
> >>>>>>>>>>> However, the switch the switch sending that traffic reported
> >>>>>>>>>>> that
> >>>>>>>>>>> it
> >>>>>>>>>>> had
> >>>>>>>>>>> sent a total of 421,978,297 packets to both interfaces, and a
> >>>>>>>>>>> total
> >>>>>>>>>>> of
> >>>>>>>>>>> 371,307,051,815 bytes for that time frame. I could be
> >>>>>>>>>>> interpreting
> >>>>>>>>>>> something incorrectly, so maybe the best first thing for me to
> >>>>>>>>>>> confirm
> >>>>>>>>>>> is
> >>>>>>>>>>> that we are in fact losing a lot of traffic. But it seems that
> >>>>>>>>>>> a
> >>>>>>>>>>> single
> >>>>>>>>>>> argus instance can't keep up with the traffic. I've seen this
> >>>>>>>>>>> happen
> >>>>>>>>>>> with Snort, and our solution was to plug Snort into PF_RING to
> >>>>>>>>>>> allow
> >>>>>>>>>>> the
> >>>>>>>>>>> traffic to be intelligently forwarded via the Snort Data
> >>>>>>>>>>> Acquisition
> >>>>>>>>>>> Library (DAQ). From the perspective of someone who hasn't had
> >>>>>>>>>>> a
> >>>>>>>>>>> lot
> >>>>>>>>>>> of
> >>>>>>>>>>> exposure to this level of hardware configuration, it was
> >>>>>>>>>>> relatively
> >>>>>>>>>>> easy
> >>>>>>>>>>> to plug the configuration parameters in at the Snort command
> >>>>>>>>>>> line
> >>>>>>>>>>> to
> >>>>>>>>>>> have
> >>>>>>>>>>> them all point at the same traffic source so that each
> >>>>>>>>>>> individual
> >>>>>>>>>>> process
> >>>>>>>>>>> didn't run through the same traffic. My hope was that there
> >>>>>>>>>>> might
> >>>>>>>>>>> just
> >>>>>>>>>>> be some parameters to set within the argus.conf file which
> >>>>>>>>>>> would
> >>>>>>>>>>> tell
> >>>>>>>>>>> each process to pull from a single PF_RING source. However, it
> >>>>>>>>>>> looks
> >>>>>>>>>>> like this might not be as easy as I had once thought.
> >>>>>>>>>>>
> >>>>>>>>>>> Am I on the right track or does this make even a little sense?
> >>>>>>>>>>>
> >>>>>>>>>>> Thanks,
> >>>>>>>>>>>
> >>>>>>>>>>> Jeff
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> From: Carter Bullard
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> <carter at qosient.com<mailto:carter at qosient.com><mailto:carter at qosi
> >>>>>>>>>>> e
> >>>>>>>>>>> nt
> >>>>>>>>>>> .c
> >>>>>>>>>>> om
> >>>>>>>>>>>>>
> >>>>>>>>>>> Date: Wednesday, March 12, 2014 at 9:54 AM
> >>>>>>>>>>> To: "Reynolds, Jeffrey"
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> <JReynolds at utdallas.edu<mailto:JReynolds at utdallas.edu><mailto:JRe
> >>>>>>>>>>> y
> >>>>>>>>>>> no
> >>>>>>>>>>> ld
> >>>>>>>>>>> s@
> >>>>>>>>>>> ut
> >>>>>>>>>>> dallas.edu>>
> >>>>>>>>>>> Cc: Argus
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> <argus-info at lists.andrew.cmu.edu<mailto:argus-info at lists.andrew.c
> >>>>>>>>>>> m
> >>>>>>>>>>> u.
> >>>>>>>>>>> ed
> >>>>>>>>>>> u>
> >>>>>>>>>>> <m
> >>>>>>>>>>> ailto:argus-info at lists.andrew.cmu.edu>>
> >>>>>>>>>>> Subject: Re: [ARGUS] Multi-Instanced Argus
> >>>>>>>>>>>
> >>>>>>>>>>> Hey Jeffrey,
> >>>>>>>>>>> I am very interested in this approach, but I have no experience
> >>>>>>>>>>> with
> >>>>>>>>>>> this
> >>>>>>>>>>> PF_RING feature, so I'll have to give you the "design response".
> >>>>>>>>>>> Hopefully, we can get this to where its doing exactly what
> >>>>>>>>>>> anyone
> >>>>>>>>>>> would
> >>>>>>>>>>> want it to do, and get us a really fast argus, on the cheap.
> >>>>>>>>>>>
> >>>>>>>>>>> First, before we dive into to it too deep, how is the
> >>>>>>>>>>> performance
> >>>>>>>>>>> ??
> >>>>>>>>>>> Are
> >>>>>>>>>>> you getting bi-directional flows out of this scheme ?? Are you
> >>>>>>>>>>> seeing
> >>>>>>>>>>> all the traffic ??? If so, then congratulations !!! If the
> >>>>>>>>>>> performance
> >>>>>>>>>>> is good, your seeing all the traffic, but you're only getting
> >>>>>>>>>>> uni-directional flows, then we may have some work to do, but
> >>>>>>>>>>> still
> >>>>>>>>>>> congratulations !!! If you're not getting all the traffic then
> >>>>>>>>>>> we
> >>>>>>>>>>> have
> >>>>>>>>>>> some real work to do, as one of the purposes of argus is to
> >>>>>>>>>>> monitor
> >>>>>>>>>>> all
> >>>>>>>>>>> the traffic.
> >>>>>>>>>>>
> >>>>>>>>>>> OK, so my understanding is that the PF_RING can do some packet
> >>>>>>>>>>> routing
> >>>>>>>>>>> to
> >>>>>>>>>>> a non-overlapping set of tap interfaces. Routing is based on
> >>>>>>>>>>> some
> >>>>>>>>>>> classification scheme, designed to make this usable. The
> >>>>>>>>>>> purpose
> >>>>>>>>>>> is
> >>>>>>>>>>> to
> >>>>>>>>>>> provide coarse grain parallelism for packet processing. The
> >>>>>>>>>>> idea,
> >>>>>>>>>>> as
> >>>>>>>>>>> much as I can tell, is to prevent multiple readers from having
> >>>>>>>>>>> to
> >>>>>>>>>>> read
> >>>>>>>>>>> from the same queue; eliminating locking issues, which kills
> >>>>>>>>>>> performance
> >>>>>>>>>>> etc...
> >>>>>>>>>>>
> >>>>>>>>>>> So, I'm not sure what you mean by "pulling from the same
> >>>>>>>>>>> queue".
> >>>>>>>>>>>
> >>>>>>>>>>> If
> >>>>>>>>>>> you
> >>>>>>>>>>> do have multiple argi reading the same packet, you will end up
> >>>>>>>>>>> counting a
> >>>>>>>>>>> single packet multiple times. Not a terrible thing, but not
> >>>>>>>>>>> recommended.
> >>>>>>>>>>> Its not that you're creating multiple observation domains using
> >>>>>>>>>>> this
> >>>>>>>>>>> PF_RING technique. You're really splitting a single packet
> >>>>>>>>>>> observation
> >>>>>>>>>>> domain into a multi-sensor facility ... eventually you will
> >>>>>>>>>>> want
> >>>>>>>>>>> to
> >>>>>>>>>>> combine the total argus output into a single output stream, that
> >>>>>>>>>>> represents the single packet observation domain. At least that
> >>>>>>>>>>> is
> >>>>>>>>>>> my
> >>>>>>>>>>> thinking, and I would recommend that you use radium to connect
> >>>>>>>>>>> to
> >>>>>>>>>>> all
> >>>>>>>>>>> of
> >>>>>>>>>>> your argus instances, rather than writing the argus output to a
> >>>>>>>>>>> set
> >>>>>>>>>>> of
> >>>>>>>>>>> files. Radium will generate a single argus data output stream,
> >>>>>>>>>>> representing the argus data from the single observation domain.
> >>>>>>>>>>>
> >>>>>>>>>>> The design issue of using the PF_RING function is "how is
> >>>>>>>>>>> PF_RING
> >>>>>>>>>>> classifying packets to do the routing?".
> >>>>>>>>>>> We would like for it to send packets that belong to the same
> >>>>>>>>>>> bi-directional flow to the same virtual interface, so argus can
> >>>>>>>>>>> do
> >>>>>>>>>>> its
> >>>>>>>>>>> bi-directional thing. PF_RING claims that you can provide your
> >>>>>>>>>>> own
> >>>>>>>>>>> classifier logic, which we can do to make this happen. We have
> >>>>>>>>>>> a
> >>>>>>>>>>> pretty
> >>>>>>>>>>> fast bidirectional hashing scheme which we can try out.
> >>>>>>>>>>>
> >>>>>>>>>>> We have a number of people that are using netmap instead of
> >>>>>>>>>>> PF_RING.
> >>>>>>>>>>> My
> >>>>>>>>>>> understanding is that it also has this same type of feature.
> >>>>>>>>>>> If
> >>>>>>>>>>> we
> >>>>>>>>>>> can
> >>>>>>>>>>> get some people talking about that, that would help a bit.
> >>>>>>>>>>>
> >>>>>>>>>>> Carter
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> On Mar 12, 2014, at 1:03 AM, Reynolds, Jeffrey
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> <JReynolds at utdallas.edu<mailto:JReynolds at utdallas.edu><mailto:JRe
> >>>>>>>>>>> y
> >>>>>>>>>>> no
> >>>>>>>>>>> ld
> >>>>>>>>>>> s@
> >>>>>>>>>>> ut
> >>>>>>>>>>> dallas.edu>> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>> Howdy All,
> >>>>>>>>>>>
> >>>>>>>>>>> So after forever and a day, I've finally found time to start
> >>>>>>>>>>> working
> >>>>>>>>>>> on
> >>>>>>>>>>> my multi-instanced argus configuration. Here is my setup:
> >>>>>>>>>>>
> >>>>>>>>>>> -CentOS 6.5 x64
> >>>>>>>>>>> -pfring driver compiled from source
> >>>>>>>>>>> -pfring capable Intel NICs (currently using the ixgbe driver
> >>>>>>>>>>> version
> >>>>>>>>>>> 3.15.1-k) (these NICs are in a bonded configuration under a
> >>>>>>>>>>> device
> >>>>>>>>>>> named
> >>>>>>>>>>> bond0)
> >>>>>>>>>>>
> >>>>>>>>>>> I've configured my startup script to start 5 instances of
> >>>>>>>>>>> Argus,
> >>>>>>>>>>> each
> >>>>>>>>>>> with there own /etc/argusX.conf file (argus1.conf, argus2.conf,
> >>>>>>>>>>> etc).
> >>>>>>>>>>> The start up script correctly assigns the proper pid file to
> >>>>>>>>>>> each
> >>>>>>>>>>> instance, and everything starts and stops smoothly. Each
> >>>>>>>>>>> instance
> >>>>>>>>>>> is
> >>>>>>>>>>> writing an output file to /var/argus in the format of
> >>>>>>>>>>> argusX.out.
> >>>>>>>>>>> When I
> >>>>>>>>>>> first tried running my argus instances, I ran them with a
> >>>>>>>>>>> version
> >>>>>>>>>>> of
> >>>>>>>>>>> PF_RING I had installed from an RPM obtained from the ntop repo.
> >>>>>>>>>>> Things
> >>>>>>>>>>> didn't seem to work correctly, so I tried again after I had
> >>>>>>>>>>> compiled
> >>>>>>>>>>> from
> >>>>>>>>>>> source. After compiling from source, I got the following
> >>>>>>>>>>> output
> >>>>>>>>>>> in
> >>>>>>>>>>> /var/log/messages when I started argus:
> >>>>>>>>>>>
> >>>>>>>>>>> Mar 11 17:48:16 argus kernel: No module found in object Mar 11
> >>>>>>>>>>> 17:49:16
> >>>>>>>>>>> argus kernel: [PF_RING] Welcome to PF_RING 5.6.3 ($Revision:
> >>>>>>>>>>> 7358$)
> >>>>>>>>>>> Mar
> >>>>>>>>>>> 11 17:49:16 argus kernel: (C) 2004-14
> >>>>>>>>>>> ntop.org<http://ntop.org/><http://ntop.org<http://ntop.org/>>
> >>>>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] registered
> >>>>>>>>>>> /proc/net/pf_ring/
> >>>>>>>>>>> Mar
> >>>>>>>>>>> 11 17:49:16 argus kernel: NET: Registered protocol family 27
> >>>>>>>>>>> Mar
> >>>>>>>>>>> 11
> >>>>>>>>>>> 17:49:16 argus kernel: [PF_RING] Min # ring slots 4096
> >>>>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] Slot version 15
> >>>>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] Capture TX Yes
> >>>>>>>>>>> [RX+TX]
> >>>>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] Transparent Mode 0
> >>>>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] IP Defragment No
> >>>>>>>>>>> Mar 11 17:49:16 argus kernel: [PF_RING] Initialized correctly
> >>>>>>>>>>> Mar
> >>>>>>>>>>> 11
> >>>>>>>>>>> 17:49:35 argus kernel: Bluetooth: Core ver 2.15 Mar 11 17:49:35
> >>>>>>>>>>> argus
> >>>>>>>>>>> kernel: NET: Registered protocol family 31 Mar 11 17:49:35 argus
> >>>>>>>>>>> kernel:
> >>>>>>>>>>> Bluetooth: HCI device and connection manager initialized Mar 11
> >>>>>>>>>>> 17:49:35
> >>>>>>>>>>> argus kernel: Bluetooth: HCI socket layer initialized Mar 11
> >>>>>>>>>>> 17:49:35
> >>>>>>>>>>> argus kernel: Netfilter messages via NETLINK v0.30.
> >>>>>>>>>>> Mar 11 17:49:35 argus argus[13918]: 11 Mar 14 17:49:35.643243
> >>>>>>>>>>> started
> >>>>>>>>>>> Mar
> >>>>>>>>>>> 11 17:49:35 argus argus[13918]: 11 Mar 14 17:49:35.693930
> >>>>>>>>>>> started
> >>>>>>>>>>> Mar
> >>>>>>>>>>> 11
> >>>>>>>>>>> 17:49:35 argus kernel: device bond0 entered promiscuous mode
> >>>>>>>>>>> Mar
> >>>>>>>>>>> 11
> >>>>>>>>>>> 17:49:35 argus kernel: device em1 entered promiscuous mode Mar
> >>>>>>>>>>> 11
> >>>>>>>>>>> 17:49:35 argus kernel: device em2 entered promiscuous mode Mar
> >>>>>>>>>>> 11
> >>>>>>>>>>> 17:49:35 argus argus[13918]: 11 Mar 14 17:49:35.721490
> >>>>>>>>>>> ArgusGetInterfaceStatus: interface bond0 is up Mar 11 17:49:36
> >>>>>>>>>>> argus
> >>>>>>>>>>> argus[13922]: 11 Mar 14 17:49:36.349202 started Mar 11 17:49:36
> >>>>>>>>>>> argus
> >>>>>>>>>>> argus[13922]: 11 Mar 14 17:49:36.364625 started Mar 11 17:49:36
> >>>>>>>>>>> argus
> >>>>>>>>>>> argus[13922]: 11 Mar 14 17:49:36.383623 ArgusGetInterfaceStatus:
> >>>>>>>>>>> interface bond0 is up Mar 11 17:49:37 argus argus[13926]: 11
> >>>>>>>>>>> Mar
> >>>>>>>>>>> 14
> >>>>>>>>>>> 17:49:37.045224 started Mar 11 17:49:37 argus argus[13926]: 11
> >>>>>>>>>>> Mar
> >>>>>>>>>>> 14
> >>>>>>>>>>> 17:49:37.060689 started Mar 11 17:49:37 argus argus[13926]: 11
> >>>>>>>>>>> Mar
> >>>>>>>>>>> 14
> >>>>>>>>>>> 17:49:37.079706 ArgusGetInterfaceStatus: interface bond0 is up
> >>>>>>>>>>> Mar
> >>>>>>>>>>> 11
> >>>>>>>>>>> 17:49:37 argus argus[13930]: 11 Mar 14 17:49:37.753278 started
> >>>>>>>>>>> Mar
> >>>>>>>>>>> 11
> >>>>>>>>>>> 17:49:37 argus argus[13930]: 11 Mar 14 17:49:37.768613 started
> >>>>>>>>>>> Mar
> >>>>>>>>>>> 11
> >>>>>>>>>>> 17:49:37 argus argus[13930]: 11 Mar 14 17:49:37.785691
> >>>>>>>>>>> ArgusGetInterfaceStatus: interface bond0 is up Mar 11 17:49:38
> >>>>>>>>>>> argus
> >>>>>>>>>>> argus[13934]: 11 Mar 14 17:49:38.449229 started Mar 11 17:49:38
> >>>>>>>>>>> argus
> >>>>>>>>>>> argus[13934]: 11 Mar 14 17:49:38.466365 started Mar 11 17:49:38
> >>>>>>>>>>> argus
> >>>>>>>>>>> argus[13934]: 11 Mar 14 17:49:38.485675 ArgusGetInterfaceStatus:
> >>>>>>>>>>> interface bond0 is up
> >>>>>>>>>>>
> >>>>>>>>>>> Aside from the "No module found in object" error, everything
> >>>>>>>>>>> seems
> >>>>>>>>>>> like
> >>>>>>>>>>> its working Ok. The only problem is that I don't seem to have
> >>>>>>>>>>> my
> >>>>>>>>>>> argus
> >>>>>>>>>>> instances configured to pull traffic from the same queue. In
> >>>>>>>>>>> other
> >>>>>>>>>>> words, I have five output files from five argus instances with
> >>>>>>>>>>> like
> >>>>>>>>>>> traffic in all of them. I haven't made any changes to my argus
> >>>>>>>>>>> config
> >>>>>>>>>>> files, aside from telling them to write to different locations
> >>>>>>>>>>> and
> >>>>>>>>>>> the
> >>>>>>>>>>> name of the interface. I know I'm missing something but I'm not
> >>>>>>>>>>> quite
> >>>>>>>>>>> sure what it is. If someone might be able to tell me how to
> >>>>>>>>>>> configure
> >>>>>>>>>>> these five instances to pull from the same PF_RING queue, I'd
> >>>>>>>>>>> be
> >>>>>>>>>>> mighty
> >>>>>>>>>>> obliged. Let me know if I need to submit any additional
> >>>>>>>>>>> information.
> >>>>>>>>>>>
> >>>>>>>>>>> Thanks,
> >>>>>>>>>>>
> >>>>>>>>>>> Jeff Reynolds
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>
> >>>
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 6837 bytes
> Desc: not available
> Url : https://lists.andrew.cmu.edu/mailman/private/argus-info/attachments/20140417/fd463920/attachment.bin
>
> ------------------------------
>
> _______________________________________________
> Argus-info mailing list
> Argus-info at lists.andrew.cmu.edu
> https://lists.andrew.cmu.edu/mailman/listinfo/argus-info
>
>
> End of Argus-info Digest, Vol 104, Issue 31
> *******************************************
>
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140418/add3cc42/attachment.bin>
More information about the argus
mailing list