Argus and PF_RING ZC drivers

Jesse Bowling jessebowling at gmail.com
Tue Oct 6 12:31:29 EDT 2015 

I'm experiencing a similar issue (at least it also applies to ZC drivers)...In my case I've worked around by having the included tcpdump read the interface, and write output to a FIFO pipe on the filesystem; I then have argus "read" that FIFO and generate data...i.e.:

mknod -p /tmp/argus
tcpdump -nn -i zc:99 at 0 -s 1600 -w /tmp/argus
argus -F /etc/argus.conf -f -r /tmp/argus

It works, but I can't speak to the additional load that creates by using a FIFO...

Craig, you might try quoting your interface command line and using at least argus-3.0.8.2.rc.2...

Specifically, when I try to specify a ZC interface I I don't get any packets in:
# argus -D 4 -F /etc/argus.conf -i 'zc:99 at 0'
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041453 ArgusNewModeler() returning 0x7fb5c4603010
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041569 ArgusNewSource(0x7fb5c4603010) returning 0x7fb5c30dd010
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041586 ArgusNewQueue () returning 0x1a384a0
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041596 ArgusNewList () returning 0x1a38540
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041606 ArgusNewList () returning 0x1a385e0
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041613 ArgusNewOutput() returning retn 0x1a37a20
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041633 setArgusMarReportInterval(60) returning
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041715 setArgusPortNum(561) returning
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041731 ArgusNewList () returning 0x1a388c0
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041741 ArgusParseResourceFile: ArgusBindAddr "(null)"
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041780 setArgusMarReportInterval(60) returning
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041847 ArgusParseResourceFile (/etc/argus.conf) returning
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041861 clearArgusDevice(0x7fb5c30dd010) returning
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041872 ArgusNewList () returning 0x1a38680
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041882 setArgusDevice(zc:99 at 0 ) returning
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041890 setArgusInterfaceStatus(0x7fb5c30dd010, 1)
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055180 ArgusGenerateInitialMar() returning
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055246 ArgusEstablishListen(0x1a37a20, 0x7ffeb3610200) binding: 127.0.0.1:561 family: 2
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055276 ArgusEstablishListen(0x1a37a20, 0x7ffeb3610200) returning 3
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055322 ArgusInitOutput() done
    ArgusAlert: 06 Oct 15 11:35:15.055346 started
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055363 ArgusNewList () returning 0x1ae7de0
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055376 ArgusCloneSource(0x7fb5c30dd010) returning 0x7fb5c22c5010
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055385 clearArgusDevice(0x7fb5c22c5010) returning
argus[6265.0007edc2b57f0000]: 06 Oct 15 11:35:15.055433 ArgusOutputProcess(0x1a37a20) starting
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064100 Arguslookup_pcap_callback(1) returning 0x417b0a
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064125 ArgusOpenInterface(0x7fb5c22c5010, 'zc:99 at 0') returning 1
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064829 ArgusNewHashTable (65536) returning 0x1af8d20
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064852 ArgusNewQueue () returning 0x1af8de0
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064862 ArgusNewQueue () returning 0x1af8e80
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064895 ArgusInitModeler(0x7fb5c44f1010) done
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064904 ArgusInitSource(0x7fb5c22c5010) returning 1
argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.064951 ArgusGetPackets (0x7fb5c22c5010) starting
argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.064986 setArgusInterfaceStatus(0x7fb5c22c5010, 1)
argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.065003 ArgusGetPackets: interface  is selectable
argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.065012 setArgusInterfaceStatus(0x7fb5c22c5010, 1)
argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.265347 setArgusInterfaceStatus(0x7fb5c22c5010, 1)
argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.765989 setArgusInterfaceStatus(0x7fb5c22c5010, 1)
argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:16.266622 setArgusInterfaceStatus(0x7fb5c22c5010, 1)
argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:16.767294 setArgusInterfaceStatus(0x7fb5c22c5010, 1)
<snip; last line just repeats indefinitely>

Cheers,

Jesse

> On 2015/10/6, at 11:07, Craig Merchant <craig.merchant at oracle.com> wrote:
> 
> Hey, Carter…
>  
> I’m trying to get Argus to recognize my PF_RING ZC interfaces, but it says it can’t find them.
>  
> I see the following at line 4436 of ArgusSource.c:
>  
>    if ((strstr(device->name, "dag")) || (strstr(device->name, "napa")) ||
>        (strstr(device->name, "dna")) || (strstr(device->name, "zc"))   ||
>       ((strstr(device->name, "eth")) && (strstr(device->name, "@")))) {
>  
> It looks to me like you’ve compiled support for both ZC and the old DNA/libzero interfaces into Argus.  I’m running the following ZC client to fan out my network traffic:
>  
> zbalance_ipc -i enp48s0f0,enp48s0f1 -c 10 -n 4,1 -m 1 –d
>  
> That means my interfaces are zc:0, zc:1, zc:2, and zc:3 for the load balanced traffic and zc:4 for the second full copy of the traffic.  Argus doesn’t recognize any of them as valid interfaces:
>  
> ArgusWarning: 05 Oct 15 23:07:12.848794 ArgusOpenInterface zc:10 at 4: SIOCGIFHWADDR: No such device
>  
> The tcpdump that ships with OEL 7 can’t see them either, but the pf_ring aware version that comes with the ZC drivers sees traffic on those interfaces.  
>  
> Is there something I can do to make Argus aware of the pf_ring ZC interfaces?
> 
> Thanks!
>  
> C

More information about the argus mailing list