Multi-Instanced Argus

Wed Mar 12 01:03:25 EDT 2014

Howdy All,

So after forever and a day, I’ve finally found time to start working on my multi-instanced argus configuration.  Here is my setup:

-CentOS 6.5 x64
-pfring driver compiled from source
-pfring capable Intel NICs (currently using the ixgbe driver version 3.15.1-k)
 (these NICs are in a bonded configuration under a device named bond0)

I’ve configured my startup script to start 5 instances of Argus, each with there own /etc/argusX.conf file (argus1.conf, argus2.conf, etc).  The start up script correctly assigns the proper pid file to each instance, and everything starts and stops smoothly.  Each instance is writing an output file to /var/argus in the format of argusX.out.  When I first tried running my argus instances, I ran them with a version of PF_RING I had installed from an RPM obtained from the ntop repo.  Things didn’t seem to work correctly, so I tried again after I had compiled from source.  After compiling from source, I got the following output in /var/log/messages when I started argus:

Mar 11 17:48:16 argus kernel: No module found in object
Mar 11 17:49:16 argus kernel: [PF_RING] Welcome to PF_RING 5.6.3 ($Revision: 7358$)
Mar 11 17:49:16 argus kernel: (C) 2004-14 ntop.org
Mar 11 17:49:16 argus kernel: [PF_RING] registered /proc/net/pf_ring/
Mar 11 17:49:16 argus kernel: NET: Registered protocol family 27
Mar 11 17:49:16 argus kernel: [PF_RING] Min # ring slots 4096
Mar 11 17:49:16 argus kernel: [PF_RING] Slot version     15
Mar 11 17:49:16 argus kernel: [PF_RING] Capture TX       Yes [RX+TX]
Mar 11 17:49:16 argus kernel: [PF_RING] Transparent Mode 0
Mar 11 17:49:16 argus kernel: [PF_RING] IP Defragment    No
Mar 11 17:49:16 argus kernel: [PF_RING] Initialized correctly
Mar 11 17:49:35 argus kernel: Bluetooth: Core ver 2.15
Mar 11 17:49:35 argus kernel: NET: Registered protocol family 31
Mar 11 17:49:35 argus kernel: Bluetooth: HCI device and connection manager initialized
Mar 11 17:49:35 argus kernel: Bluetooth: HCI socket layer initialized
Mar 11 17:49:35 argus kernel: Netfilter messages via NETLINK v0.30.
Mar 11 17:49:35 argus argus[13918]: 11 Mar 14 17:49:35.643243 started
Mar 11 17:49:35 argus argus[13918]: 11 Mar 14 17:49:35.693930 started
Mar 11 17:49:35 argus kernel: device bond0 entered promiscuous mode
Mar 11 17:49:35 argus kernel: device em1 entered promiscuous mode
Mar 11 17:49:35 argus kernel: device em2 entered promiscuous mode
Mar 11 17:49:35 argus argus[13918]: 11 Mar 14 17:49:35.721490 ArgusGetInterfaceStatus: interface bond0 is up
Mar 11 17:49:36 argus argus[13922]: 11 Mar 14 17:49:36.349202 started
Mar 11 17:49:36 argus argus[13922]: 11 Mar 14 17:49:36.364625 started
Mar 11 17:49:36 argus argus[13922]: 11 Mar 14 17:49:36.383623 ArgusGetInterfaceStatus: interface bond0 is up
Mar 11 17:49:37 argus argus[13926]: 11 Mar 14 17:49:37.045224 started
Mar 11 17:49:37 argus argus[13926]: 11 Mar 14 17:49:37.060689 started
Mar 11 17:49:37 argus argus[13926]: 11 Mar 14 17:49:37.079706 ArgusGetInterfaceStatus: interface bond0 is up
Mar 11 17:49:37 argus argus[13930]: 11 Mar 14 17:49:37.753278 started
Mar 11 17:49:37 argus argus[13930]: 11 Mar 14 17:49:37.768613 started
Mar 11 17:49:37 argus argus[13930]: 11 Mar 14 17:49:37.785691 ArgusGetInterfaceStatus: interface bond0 is up
Mar 11 17:49:38 argus argus[13934]: 11 Mar 14 17:49:38.449229 started
Mar 11 17:49:38 argus argus[13934]: 11 Mar 14 17:49:38.466365 started
Mar 11 17:49:38 argus argus[13934]: 11 Mar 14 17:49:38.485675 ArgusGetInterfaceStatus: interface bond0 is up

Aside from the “No module found in object” error, everything seems like its working Ok.  The only problem is that I don’t seem to have my argus instances configured to pull traffic from the same queue.  In other words, I have five output files from five argus instances with like traffic in all of them.  I haven’t made any changes to my argus config files, aside from telling them to write to different locations and the name of the interface.  I know I’m missing something but I’m not quite sure what it is.  If someone might be able to tell me how to configure these five instances to pull from the same PF_RING queue, I’d be mighty obliged.  Let me know if I need to submit any additional information.

Thanks,

Jeff Reynolds