Minor bug in argus 3.0.8 - no new out file created

Mon Oct 20 11:28:00 EDT 2014

Hey /Elof,
OK, looking at the code, nothing jumps out.
Let me see if I can replicate the problem here.

Carter

On Oct 20, 2014, at 11:04 AM, elof2 at sentor.se wrote:

> 
> The interface is up, but the link is down OR there are zero packets mirrored to the port. I.e. the NIC is completely silent.
> 
> 
> mon0 is silent.
> I start argus and the out.log is created.
> Every minute, MAR-status is appended to it.
> So far everything is ok.
> 
> If I now run 'rm out.log', a new out.log won't be created in 3.0.8 while it was created in 3.0.6.
> 
> 
> 
> Yes. When packets start to arrive, argus immediately creates the out.log file.
> 
> 
> Not a laptop, it's a sensor that monitor a network environment that I don't control myself. So if they do a shutdown on the SPAN port, or if they monitor an equipment that has been turned off, or if they reset the switch and loose the SPAN-configuration so that nothing gets mirrored (and there's no spanning tree, Cisco Discovery Protocol or anything else that generates packets on the SPAN port), or when there's simply a long period of complete silence... then you get zero packets on the ARGUS_INTERFACE.
> 
> /Elof
> 
> 
> On Mon, 20 Oct 2014, Carter Bullard wrote:
> 
>> So, the interface is up, but no traffic, or the interface is down ???
>> When traffic does arrive, does argus just wake up, create the file
>> and process packets ???
>> 
>> So is this a laptop that is going to sleep, or is this just
>> a long period of no packets showing up ??
>> 
>> Carter
>> 
>> On Oct 17, 2014, at 4:20 AM, elof2 at sentor.se wrote:
>> 
>>> 
>>> This is the full argus.conf:
>>> 
>>> ARGUS_MONITOR_ID=1.2.3.4
>>> ARGUS_INTERFACE=mon0
>>> ARGUS_OUTPUT_FILE=/usr/foobar/log/out.log
>>> ARGUS_MAR_STATUS_INTERVAL=60
>>> ARGUS_DAEMON=yes
>>> ARGUS_ACCESS_PORT=0
>>> ARGUS_GENERATE_MAC_DATA=yes
>>> ARGUS_CAPTURE_DATA_LEN=120
>>> ARGUS_FILTER=""
>>> 
>>> I'm running on FreeBSD.
>>> 
>>> "mon0" is my sniffer-NIC.
>>> 
>>> As long as argus see traffic on mon0, /usr/foobar/log/out.log is always recreated after I yank away the file from beneath the argus daemon's feet. However, if mon0 is completely silent, the file isn't recreated (and filled with a MAR-status entry every minute).
>>> 
>>> /Elof
>>> 
>>> 
>>> On Thu, 16 Oct 2014, Carter Bullard wrote:
>>> 
>>>> Checking this out now, now.  Assuming argus.conf file ...
>>>> What is the ARGUS_INTERFACE defined to be ???
>>>> Is there a ARGUS_MONITOR_ID defined ...
>>>> 
>>>> Carter
>>>> 
>>>> On Oct 15, 2014, at 9:28 AM, elof2 at sentor.se wrote:
>>>> 
>>>>> 
>>>>> Hi Carter!
>>>>> 
>>>>> Something seem to have changed between 3.0.6 and 3.0.8 regarding the recreation of the ARGUS_OUTPUT_FILE.
>>>>> 
>>>>> 
>>>>> I have ARGUS_MAR_STATUS_INTERVAL=60.
>>>>> My sniffer NIC is currently offline, so argus will see 0 packets.
>>>>> Argus will log the MAR-status to my output file every minute.
>>>>> 
>>>>> So far everything is good, and simillar to argus 3.0.6.
>>>>> 
>>>>> Every 5 minutes I move the output file to an archive dir where it is appended to an hourly file, stripped and sent to another archive, etc.
>>>>> This has been working fine for years.
>>>>> 
>>>>> Argus =< 3.0.6 created a new output file in its place.
>>>>> Argus 3.0.8 don't do this. No new file is created (unless there are flow data on the sniffer port, then a new file is created).
>>>>> 
>>>>> Result:
>>>>> My archive files no longer get any MAR-status data for completely silent sensors.
>>>>> 
>>>>> 
>>>>> 
>>>>> As I said, this is a minor bug but still annoying. :)
>>>>> 
>>>>> /Elof
>>>>> 
>>>> 
>>>> 
>>> 
>> 
>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141020/a9018b37/attachment.sig>