Minor bug in argus 3.0.8 - no new out file created

Carter Bullard carter at qosient.com
Mon Oct 27 11:59:12 EDT 2014


Hey /Elof,
OK, the argus output process has a notion of the global time,
which is set at startup and then updated in a loop in the
routine ArgusOutputProcess().  It maybe in your case this
timestamp is not being set properly, as we have some conditionals
around this timestamp.

We check to see if we need to generate a status record in the
routine ArgusOutputStatusTime(), it maybe that you should
update the ArgusGlobalTime in that routine ??..??..??

Give this patch a try, just to see if it does what you want.

Carter


thoth:argus carter$ p4 diff -dc ArgusOutput.c
==== //depot/argus/argus/argus/ArgusOutput.c#80 - /Volumes/Users/carter/argus/argus/argus/ArgusOutput.c ====
***************
*** 462,467 ****
--- 462,468 ----
  {
     int retn = 0;
  
+    gettimeofday (&output->ArgusGlobalTime, 0L);
  
     if ((output->ArgusReportTime.tv_sec  < output->ArgusGlobalTime.tv_sec) ||
        ((output->ArgusReportTime.tv_sec == output->ArgusGlobalTime.tv_sec) &&




On Oct 20, 2014, at 11:28 AM, Carter Bullard <carter at qosient.com> wrote:

> Hey /Elof,
> OK, looking at the code, nothing jumps out.
> Let me see if I can replicate the problem here.
> 
> Carter
> 
> On Oct 20, 2014, at 11:04 AM, elof2 at sentor.se wrote:
> 
>> 
>> The interface is up, but the link is down OR there are zero packets mirrored to the port. I.e. the NIC is completely silent.
>> 
>> 
>> mon0 is silent.
>> I start argus and the out.log is created.
>> Every minute, MAR-status is appended to it.
>> So far everything is ok.
>> 
>> If I now run 'rm out.log', a new out.log won't be created in 3.0.8 while it was created in 3.0.6.
>> 
>> 
>> 
>> Yes. When packets start to arrive, argus immediately creates the out.log file.
>> 
>> 
>> Not a laptop, it's a sensor that monitor a network environment that I don't control myself. So if they do a shutdown on the SPAN port, or if they monitor an equipment that has been turned off, or if they reset the switch and loose the SPAN-configuration so that nothing gets mirrored (and there's no spanning tree, Cisco Discovery Protocol or anything else that generates packets on the SPAN port), or when there's simply a long period of complete silence... then you get zero packets on the ARGUS_INTERFACE.
>> 
>> /Elof
>> 
>> 
>> On Mon, 20 Oct 2014, Carter Bullard wrote:
>> 
>>> So, the interface is up, but no traffic, or the interface is down ???
>>> When traffic does arrive, does argus just wake up, create the file
>>> and process packets ???
>>> 
>>> So is this a laptop that is going to sleep, or is this just
>>> a long period of no packets showing up ??
>>> 
>>> Carter
>>> 
>>> On Oct 17, 2014, at 4:20 AM, elof2 at sentor.se wrote:
>>> 
>>>> 
>>>> This is the full argus.conf:
>>>> 
>>>> ARGUS_MONITOR_ID=1.2.3.4
>>>> ARGUS_INTERFACE=mon0
>>>> ARGUS_OUTPUT_FILE=/usr/foobar/log/out.log
>>>> ARGUS_MAR_STATUS_INTERVAL=60
>>>> ARGUS_DAEMON=yes
>>>> ARGUS_ACCESS_PORT=0
>>>> ARGUS_GENERATE_MAC_DATA=yes
>>>> ARGUS_CAPTURE_DATA_LEN=120
>>>> ARGUS_FILTER=""
>>>> 
>>>> I'm running on FreeBSD.
>>>> 
>>>> "mon0" is my sniffer-NIC.
>>>> 
>>>> As long as argus see traffic on mon0, /usr/foobar/log/out.log is always recreated after I yank away the file from beneath the argus daemon's feet. However, if mon0 is completely silent, the file isn't recreated (and filled with a MAR-status entry every minute).
>>>> 
>>>> /Elof
>>>> 
>>>> 
>>>> On Thu, 16 Oct 2014, Carter Bullard wrote:
>>>> 
>>>>> Checking this out now, now.  Assuming argus.conf file ...
>>>>> What is the ARGUS_INTERFACE defined to be ???
>>>>> Is there a ARGUS_MONITOR_ID defined ...
>>>>> 
>>>>> Carter
>>>>> 
>>>>> On Oct 15, 2014, at 9:28 AM, elof2 at sentor.se wrote:
>>>>> 
>>>>>> 
>>>>>> Hi Carter!
>>>>>> 
>>>>>> Something seem to have changed between 3.0.6 and 3.0.8 regarding the recreation of the ARGUS_OUTPUT_FILE.
>>>>>> 
>>>>>> 
>>>>>> I have ARGUS_MAR_STATUS_INTERVAL=60.
>>>>>> My sniffer NIC is currently offline, so argus will see 0 packets.
>>>>>> Argus will log the MAR-status to my output file every minute.
>>>>>> 
>>>>>> So far everything is good, and simillar to argus 3.0.6.
>>>>>> 
>>>>>> Every 5 minutes I move the output file to an archive dir where it is appended to an hourly file, stripped and sent to another archive, etc.
>>>>>> This has been working fine for years.
>>>>>> 
>>>>>> Argus =< 3.0.6 created a new output file in its place.
>>>>>> Argus 3.0.8 don't do this. No new file is created (unless there are flow data on the sniffer port, then a new file is created).
>>>>>> 
>>>>>> Result:
>>>>>> My archive files no longer get any MAR-status data for completely silent sensors.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> As I said, this is a minor bug but still annoying. :)
>>>>>> 
>>>>>> /Elof
>>>>>> 
>>>>> 
>>>>> 
>>>> 
>>> 
>>> 
>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141027/4d8a7c65/attachment.sig>


More information about the argus mailing list