Minor bug in argus 3.0.8 - no new out file created

elof2 at sentor.se elof2 at sentor.se
Tue May 26 05:28:31 EDT 2015 

(Late reply)

This bug is fixed.

The out file is now created (with MAR records) even if argus see no 
traffic at all.

Thanks.

/Elof


On Mon, 27 Oct 2014, elof2 at sentor.se wrote:

>
> Hi Carter!
>
> Thanks for the attention.
> As i wrote, this is such a minor issue that currently I don't have the time 
> to compile and test a new version.
>
> But I'll add it on my todo for work on the train ride home. :)
>
> /Elof
>
>
> On Mon, 27 Oct 2014, Carter Bullard wrote:
>
>> Hey /Elof,
>> OK, the argus output process has a notion of the global time,
>> which is set at startup and then updated in a loop in the
>> routine ArgusOutputProcess().  It maybe in your case this
>> timestamp is not being set properly, as we have some conditionals
>> around this timestamp.
>> 
>> We check to see if we need to generate a status record in the
>> routine ArgusOutputStatusTime(), it maybe that you should
>> update the ArgusGlobalTime in that routine ??..??..??
>> 
>> Give this patch a try, just to see if it does what you want.
>> 
>> Carter
>> 
>> 
>> thoth:argus carter$ p4 diff -dc ArgusOutput.c
>> ==== //depot/argus/argus/argus/ArgusOutput.c#80 - 
>> /Volumes/Users/carter/argus/argus/argus/ArgusOutput.c ====
>> ***************
>> *** 462,467 ****
>> --- 462,468 ----
>>  {
>>     int retn = 0;
>> 
>> +    gettimeofday (&output->ArgusGlobalTime, 0L);
>>
>>     if ((output->ArgusReportTime.tv_sec  < output->ArgusGlobalTime.tv_sec) 
>> ||
>>        ((output->ArgusReportTime.tv_sec == output->ArgusGlobalTime.tv_sec) 
>> &&
>> 
>> 
>> 
>> 
>> On Oct 20, 2014, at 11:28 AM, Carter Bullard <carter at qosient.com> wrote:
>> 
>>> Hey /Elof,
>>> OK, looking at the code, nothing jumps out.
>>> Let me see if I can replicate the problem here.
>>> 
>>> Carter
>>> 
>>> On Oct 20, 2014, at 11:04 AM, elof2 at sentor.se wrote:
>>> 
>>>> 
>>>> The interface is up, but the link is down OR there are zero packets 
>>>> mirrored to the port. I.e. the NIC is completely silent.
>>>> 
>>>> 
>>>> mon0 is silent.
>>>> I start argus and the out.log is created.
>>>> Every minute, MAR-status is appended to it.
>>>> So far everything is ok.
>>>> 
>>>> If I now run 'rm out.log', a new out.log won't be created in 3.0.8 while 
>>>> it was created in 3.0.6.
>>>> 
>>>> 
>>>> 
>>>> Yes. When packets start to arrive, argus immediately creates the out.log 
>>>> file.
>>>> 
>>>> 
>>>> Not a laptop, it's a sensor that monitor a network environment that I 
>>>> don't control myself. So if they do a shutdown on the SPAN port, or if 
>>>> they monitor an equipment that has been turned off, or if they reset the 
>>>> switch and loose the SPAN-configuration so that nothing gets mirrored 
>>>> (and there's no spanning tree, Cisco Discovery Protocol or anything else 
>>>> that generates packets on the SPAN port), or when there's simply a long 
>>>> period of complete silence... then you get zero packets on the 
>>>> ARGUS_INTERFACE.
>>>> 
>>>> /Elof
>>>> 
>>>> 
>>>> On Mon, 20 Oct 2014, Carter Bullard wrote:
>>>> 
>>>>> So, the interface is up, but no traffic, or the interface is down ???
>>>>> When traffic does arrive, does argus just wake up, create the file
>>>>> and process packets ???
>>>>> 
>>>>> So is this a laptop that is going to sleep, or is this just
>>>>> a long period of no packets showing up ??
>>>>> 
>>>>> Carter
>>>>> 
>>>>> On Oct 17, 2014, at 4:20 AM, elof2 at sentor.se wrote:
>>>>> 
>>>>>> 
>>>>>> This is the full argus.conf:
>>>>>> 
>>>>>> ARGUS_MONITOR_ID=1.2.3.4
>>>>>> ARGUS_INTERFACE=mon0
>>>>>> ARGUS_OUTPUT_FILE=/usr/foobar/log/out.log
>>>>>> ARGUS_MAR_STATUS_INTERVAL=60
>>>>>> ARGUS_DAEMON=yes
>>>>>> ARGUS_ACCESS_PORT=0
>>>>>> ARGUS_GENERATE_MAC_DATA=yes
>>>>>> ARGUS_CAPTURE_DATA_LEN=120
>>>>>> ARGUS_FILTER=""
>>>>>> 
>>>>>> I'm running on FreeBSD.
>>>>>> 
>>>>>> "mon0" is my sniffer-NIC.
>>>>>> 
>>>>>> As long as argus see traffic on mon0, /usr/foobar/log/out.log is always 
>>>>>> recreated after I yank away the file from beneath the argus daemon's 
>>>>>> feet. However, if mon0 is completely silent, the file isn't recreated 
>>>>>> (and filled with a MAR-status entry every minute).
>>>>>> 
>>>>>> /Elof
>>>>>> 
>>>>>> 
>>>>>> On Thu, 16 Oct 2014, Carter Bullard wrote:
>>>>>> 
>>>>>>> Checking this out now, now.  Assuming argus.conf file ...
>>>>>>> What is the ARGUS_INTERFACE defined to be ???
>>>>>>> Is there a ARGUS_MONITOR_ID defined ...
>>>>>>> 
>>>>>>> Carter
>>>>>>> 
>>>>>>> On Oct 15, 2014, at 9:28 AM, elof2 at sentor.se wrote:
>>>>>>> 
>>>>>>>> 
>>>>>>>> Hi Carter!
>>>>>>>> 
>>>>>>>> Something seem to have changed between 3.0.6 and 3.0.8 regarding the 
>>>>>>>> recreation of the ARGUS_OUTPUT_FILE.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> I have ARGUS_MAR_STATUS_INTERVAL=60.
>>>>>>>> My sniffer NIC is currently offline, so argus will see 0 packets.
>>>>>>>> Argus will log the MAR-status to my output file every minute.
>>>>>>>> 
>>>>>>>> So far everything is good, and simillar to argus 3.0.6.
>>>>>>>> 
>>>>>>>> Every 5 minutes I move the output file to an archive dir where it is 
>>>>>>>> appended to an hourly file, stripped and sent to another archive, 
>>>>>>>> etc.
>>>>>>>> This has been working fine for years.
>>>>>>>> 
>>>>>>>> Argus =< 3.0.6 created a new output file in its place.
>>>>>>>> Argus 3.0.8 don't do this. No new file is created (unless there are 
>>>>>>>> flow data on the sniffer port, then a new file is created).
>>>>>>>> 
>>>>>>>> Result:
>>>>>>>> My archive files no longer get any MAR-status data for completely 
>>>>>>>> silent sensors.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> As I said, this is a minor bug but still annoying. :)
>>>>>>>> 
>>>>>>>> /Elof
>>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>> 
>>>>> 
>>>> 
>>> 
>> 
>> 
>

More information about the argus mailing list