Minor bug in argus 3.0.8 - no new out file created
elof2 at sentor.se
elof2 at sentor.se
Thu Oct 30 15:47:00 EDT 2014
Hi Carter.
Nope, the fix didn't work.
You can test it yourself by creating an interface which is completely
silent. I use lo0, which I see with 'netstat -in' that no packets are
received there.
/etc/argus.conf
ARGUS_MONITOR_ID=10.10.10.10
ARGUS_INTERFACE=lo0
ARGUS_OUTPUT_FILE=/root/out.log
ARGUS_DAEMON=yes
ARGUS_ACCESS_PORT=0
ARGUS_GENERATE_MAC_DATA=yes
ARGUS_CAPTURE_DATA_LEN=120
ARGUS_FILTER=""
ARGUS_MAR_STATUS_INTERVAL=60
Start argus
out.log is created with 128 bytes.
The next minute it grows to 256 bytes.
The next minute it's 384.
I rename it.
No new out.log is created, but the renamed file keeps growing every
minute.
I remove it completely.
No new out.log is created.
I ping 127.0.0.1 for 3 seconds.
Still no out.log.
I ping 127.0.0.1 for 3 more seconds.
Now out.log got created, and it grows with MAR events every minute.
If I rename it again, the renamed file will keep growing until I send some
packets, then a new out.log gets created with the flows and the MAR events
keeps going there.
So no, the fix didn't work.
/Elof
On Mon, 27 Oct 2014, Carter Bullard wrote:
> Hey /Elof,
> OK, the argus output process has a notion of the global time,
> which is set at startup and then updated in a loop in the
> routine ArgusOutputProcess(). It maybe in your case this
> timestamp is not being set properly, as we have some conditionals
> around this timestamp.
>
> We check to see if we need to generate a status record in the
> routine ArgusOutputStatusTime(), it maybe that you should
> update the ArgusGlobalTime in that routine ??..??..??
>
> Give this patch a try, just to see if it does what you want.
>
> Carter
>
>
> thoth:argus carter$ p4 diff -dc ArgusOutput.c
> ==== //depot/argus/argus/argus/ArgusOutput.c#80 - /Volumes/Users/carter/argus/argus/argus/ArgusOutput.c ====
> ***************
> *** 462,467 ****
> --- 462,468 ----
> {
> int retn = 0;
>
> + gettimeofday (&output->ArgusGlobalTime, 0L);
>
> if ((output->ArgusReportTime.tv_sec < output->ArgusGlobalTime.tv_sec) ||
> ((output->ArgusReportTime.tv_sec == output->ArgusGlobalTime.tv_sec) &&
>
>
>
>
> On Oct 20, 2014, at 11:28 AM, Carter Bullard <carter at qosient.com> wrote:
>
>> Hey /Elof,
>> OK, looking at the code, nothing jumps out.
>> Let me see if I can replicate the problem here.
>>
>> Carter
>>
>> On Oct 20, 2014, at 11:04 AM, elof2 at sentor.se wrote:
>>
>>>
>>> The interface is up, but the link is down OR there are zero packets mirrored to the port. I.e. the NIC is completely silent.
>>>
>>>
>>> mon0 is silent.
>>> I start argus and the out.log is created.
>>> Every minute, MAR-status is appended to it.
>>> So far everything is ok.
>>>
>>> If I now run 'rm out.log', a new out.log won't be created in 3.0.8 while it was created in 3.0.6.
>>>
>>>
>>>
>>> Yes. When packets start to arrive, argus immediately creates the out.log file.
>>>
>>>
>>> Not a laptop, it's a sensor that monitor a network environment that I don't control myself. So if they do a shutdown on the SPAN port, or if they monitor an equipment that has been turned off, or if they reset the switch and loose the SPAN-configuration so that nothing gets mirrored (and there's no spanning tree, Cisco Discovery Protocol or anything else that generates packets on the SPAN port), or when there's simply a long period of complete silence... then you get zero packets on the ARGUS_INTERFACE.
>>>
>>> /Elof
>>>
>>>
>>> On Mon, 20 Oct 2014, Carter Bullard wrote:
>>>
>>>> So, the interface is up, but no traffic, or the interface is down ???
>>>> When traffic does arrive, does argus just wake up, create the file
>>>> and process packets ???
>>>>
>>>> So is this a laptop that is going to sleep, or is this just
>>>> a long period of no packets showing up ??
>>>>
>>>> Carter
>>>>
>>>> On Oct 17, 2014, at 4:20 AM, elof2 at sentor.se wrote:
>>>>
>>>>>
>>>>> This is the full argus.conf:
>>>>>
>>>>> ARGUS_MONITOR_ID=1.2.3.4
>>>>> ARGUS_INTERFACE=mon0
>>>>> ARGUS_OUTPUT_FILE=/usr/foobar/log/out.log
>>>>> ARGUS_MAR_STATUS_INTERVAL=60
>>>>> ARGUS_DAEMON=yes
>>>>> ARGUS_ACCESS_PORT=0
>>>>> ARGUS_GENERATE_MAC_DATA=yes
>>>>> ARGUS_CAPTURE_DATA_LEN=120
>>>>> ARGUS_FILTER=""
>>>>>
>>>>> I'm running on FreeBSD.
>>>>>
>>>>> "mon0" is my sniffer-NIC.
>>>>>
>>>>> As long as argus see traffic on mon0, /usr/foobar/log/out.log is always recreated after I yank away the file from beneath the argus daemon's feet. However, if mon0 is completely silent, the file isn't recreated (and filled with a MAR-status entry every minute).
>>>>>
>>>>> /Elof
>>>>>
>>>>>
>>>>> On Thu, 16 Oct 2014, Carter Bullard wrote:
>>>>>
>>>>>> Checking this out now, now. Assuming argus.conf file ...
>>>>>> What is the ARGUS_INTERFACE defined to be ???
>>>>>> Is there a ARGUS_MONITOR_ID defined ...
>>>>>>
>>>>>> Carter
>>>>>>
>>>>>> On Oct 15, 2014, at 9:28 AM, elof2 at sentor.se wrote:
>>>>>>
>>>>>>>
>>>>>>> Hi Carter!
>>>>>>>
>>>>>>> Something seem to have changed between 3.0.6 and 3.0.8 regarding the recreation of the ARGUS_OUTPUT_FILE.
>>>>>>>
>>>>>>>
>>>>>>> I have ARGUS_MAR_STATUS_INTERVAL=60.
>>>>>>> My sniffer NIC is currently offline, so argus will see 0 packets.
>>>>>>> Argus will log the MAR-status to my output file every minute.
>>>>>>>
>>>>>>> So far everything is good, and simillar to argus 3.0.6.
>>>>>>>
>>>>>>> Every 5 minutes I move the output file to an archive dir where it is appended to an hourly file, stripped and sent to another archive, etc.
>>>>>>> This has been working fine for years.
>>>>>>>
>>>>>>> Argus =< 3.0.6 created a new output file in its place.
>>>>>>> Argus 3.0.8 don't do this. No new file is created (unless there are flow data on the sniffer port, then a new file is created).
>>>>>>>
>>>>>>> Result:
>>>>>>> My archive files no longer get any MAR-status data for completely silent sensors.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> As I said, this is a minor bug but still annoying. :)
>>>>>>>
>>>>>>> /Elof
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>
>
More information about the argus
mailing list