3 nic max
Luke Whitworth via Argus-info
argus-info at lists.andrew.cmu.edu
Tue Dec 1 03:56:43 EST 2015
Hi Carter,
Many thanks for the quick reply. I'll try and explain what we're doing
but my Linux knowledge only extends to a certain point, so apologies in
advance if at any point I have missed something obvious, done something
silly, or I'm just being dim!
In short the monitoring boxes are a stack of RHEL 6.7, PF_RING, Snort
and Argus. We run Snort using a command similar to */usr/sbin/snort -i
"eth0\;eth1\;eth2\;eth3" -D**... *in order, I'm told by the person who
set it up originally, to let PF_Ring handle the aggregation of packets
from these ports as opposed to Snort. We used to have Argus doing the
same (using version 3.0.6.1), with the argus.conf showing
ARGUS_INTERFACE=eth0;eth1;eth2;eth3, but I've recently had to upgrade
PF_RING and Argus to latest versions and this setup no longer plays nicely.
To attempt to continue using the previous notation for specifying NICs I
edited argus/ArgusSource.c before compile, changing line 4442 to read
*if ((strstr(device->name, "dag")) || (strstr(device->name, ";")) ||*
(replacing napa with the semicolon). This actually appears to be
working fine on one of our hosts which only has two NICS, and works on
the problem host as long as I only pass any combination of three out of
the four NICs, so ARGUS_INTERFACE=eth0;eth1;eth2 works, as does
ARGUS_INTERFACE=eth3;eth2;eth0, but the minute I specify all four
adapters I see*ArgusOpenInterface eth0;eth1;eth2;eth3: No such device
exists*. This is what started me down the three interface maximum
theory! I'm getting round it at the moment by using
"ARGUS_INTERFACE=bond:eth0,eth1,eth2,eth3" in the conf, so all is not
lost, but if possible I'd like to retain the notation that was
previously used if possible. For clarity the Snort instances are still
running using the old notation without incident so I don't believe that
it's a change in PF_Ring that no longer likes this way of bonding
adapters, although I could be way off the mark!
Any suggestions you have will be most warmly welcomed.
Cheers,
Luke
On 27/11/15 17:14, Carter Bullard wrote:
> Hey Luke,
> argus-3.0.8.x should handle up to 64 interface instances, so you
> should not have any interface limits.
> The argus mailing list comment was from 2001, so we’ve come a bit down
> the path since then.
>
> Just load the interfaces you want to monitor into your /etc/argus.conf
> file as ARGUS_INTERFACEs.
> BUT, if you do have any issues, send the actual complaint from argus,
> or its behavior so we can figure out what’s up.
> Hope all is most excellent,
>
> Carter
>
>> On Nov 27, 2015, at 4:47 AM, Luke Whitworth via Argus-info
>> <argus-info at lists.andrew.cmu.edu
>> <mailto:argus-info at lists.andrew.cmu.edu>> wrote:
>>
>> Morning all,
>>
>> I'm trying to compile Argus so it works with four NICs. I've found
>> reference to a 3 interface limit by default
>> (http://comments.gmane.org/gmane.network.argus/1611) but can't find
>> where I can manipulate this during compile. Can anyone point me in
>> the right direction?
>>
>> Cheers,
>>
>> Luke
>> --
>> Luke Whitworth
>> Business Technologies Specialist, Information Services
>> Building 63, Cranfield University, Cranfield, Bedfordshire MK43 0AL
>> W:www.cranfield.ac.uk E:luke.whitworth at cranfield.ac.uk
>> T: +44 (0) 1234 750111 x3556
>>
>> This email and any attachments to it may be confidential and are intended only for the named addressee. If you are not the named addressee, please accept our apology, notify the sender immediately and then delete the email. We request that you do not disclose, use, copy or distribute any information within it.
>> Any opinions expressed are not necessarily the corporate view of Cranfield University. This email is not intended to be contractually binding unless specifically stated and the sender is an authorised University signatory.
>> Whilst we have taken steps to ensure that this email and all attachments are free from any virus, we advise that, in keeping with good computing practice, the recipient should ensure they are actually virus free.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20151201/231de92f/attachment.html>
More information about the argus
mailing list