3 nic max

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Tue Dec 1 11:20:49 EST 2015 

Hey Luke,
The current code supports using ',' and ' ' as separators for interfaces.  If you want to use ';' as a delimiter, in the file ArgusSource.c, in the routine setArgusDevice(), around line 851, you can add ‘;’ to the strtok() parameters.

p4 diff ArgusSource.c
==== //depot/argus/argus/argus/ArgusSource.c#133 - /Users/carter/argus/argus/argus/ArgusSource.c ====
851c851
<       while ((tok = strtok(ptr, " ,")) != NULL) {
---
>       while ((tok = strtok(ptr, " ,;")) != NULL) {

That should do it.  Give it a try, and send an email, if it works, ….,  or not.

Carter

On Dec 1, 2015, at 3:56 AM, Luke Whitworth <luke.whitworth at cranfield.ac.uk> wrote:

> Hi Carter,
> 
> Many thanks for the quick reply.  I'll try and explain what we're doing but my Linux knowledge only extends to a certain point, so apologies in advance if at any point I have missed something obvious, done something silly, or I'm just being dim! 
> 
> In short the monitoring boxes are a stack of RHEL 6.7, PF_RING, Snort and Argus.  We run Snort using a command similar to /usr/sbin/snort -i "eth0\;eth1\;eth2\;eth3" -D... in order, I'm told by the person who set it up originally, to let PF_Ring handle the aggregation of packets from these ports as opposed to Snort.  We used to have Argus doing the same (using version 3.0.6.1), with the argus.conf showing ARGUS_INTERFACE=eth0;eth1;eth2;eth3, but I've recently had to upgrade PF_RING and Argus to latest versions and this setup no longer plays nicely.
> 
> To attempt to continue using the previous notation for specifying NICs I edited argus/ArgusSource.c before compile, changing line 4442 to read  if ((strstr(device->name, "dag")) || (strstr(device->name, ";")) || (replacing napa with the semicolon).  This actually appears to be working fine on one of our hosts which only has two NICS, and works on the problem host as long as I only pass any combination of three out of the four NICs, so ARGUS_INTERFACE=eth0;eth1;eth2 works, as does ARGUS_INTERFACE=eth3;eth2;eth0, but the minute I specify all four adapters I see ArgusOpenInterface eth0;eth1;eth2;eth3: No such device exists.  This is what started me down the three interface maximum theory!  I'm getting round it at the moment by using "ARGUS_INTERFACE=bond:eth0,eth1,eth2,eth3" in the conf, so all is not lost, but if possible I'd like to retain the notation that was previously used if possible.  For clarity the Snort instances are still running using the old notation without incident so I don't believe that it's a change in PF_Ring that no longer likes this way of bonding adapters, although I could be way off the mark!
> 
> Any suggestions you have will be most warmly welcomed.
> 
> Cheers,
> 
> Luke
> 
> On 27/11/15 17:14, Carter Bullard wrote:
>> Hey Luke,
>> argus-3.0.8.x should handle up to 64 interface instances, so you should not have any interface limits.
>> The argus mailing list comment was from 2001, so we’ve come a bit down the path since then.
>> 
>> Just load the interfaces you want to monitor into your /etc/argus.conf file as ARGUS_INTERFACEs.
>> BUT, if you do have any issues, send the actual complaint from argus, or its behavior so we can figure out what’s up.
>> Hope all is most excellent,
>> 
>> Carter
>>  
>> 
>>> On Nov 27, 2015, at 4:47 AM, Luke Whitworth via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>>> 
>>> Morning all,
>>> 
>>> I'm trying to compile Argus so it works with four NICs.  I've found reference to a 3 interface limit by default (http://comments.gmane.org/gmane.network.argus/1611) but can't find where I can manipulate this during compile.  Can anyone point me in the right direction?
>>> 
>>> Cheers,
>>> 
>>> Luke
>>> -- 
>>> Luke Whitworth
>>> Business Technologies Specialist, Information Services
>>> Building 63, Cranfield University, Cranfield, Bedfordshire MK43 0AL
>>> W: 
>>> www.cranfield.ac.uk  E: luke.whitworth at cranfield.ac.uk
>>> 
>>> T: +44 (0) 1234 750111 x3556
>>>  
>>> This email and any attachments to it may be confidential and are intended only for the named addressee. If you are not the named addressee, please accept our apology, notify the sender immediately and then delete the email. We request that you do not disclose, use, copy or distribute any information within it.
>>> Any opinions expressed are not necessarily the corporate view of Cranfield University. This email is not intended to be contractually binding unless specifically stated and the sender is an authorised University signatory.
>>> Whilst we have taken steps to ensure that this email and all attachments are free from any virus, we advise that, in keeping with good computing practice, the recipient should ensure they are actually virus free.
>>> 
>> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20151201/92b402f8/attachment.bin>

More information about the argus mailing list