Argus and PF_RING ZC drivers

Carter Bullard carter at qosient.com
Wed Oct 7 23:21:25 EDT 2015


The fastest test of the problem is to change the source so that it assumes that there is no select support.  On line 3841 of ./argus/ArgusSource.c is a place where you can just state that the interface is notselectable.

Change these lines:

#if defined(ARGUS_PLURIBUS)
   int notselectable = 1;
#else
   int notselectable = 0;
#endif

to:

   int notselectable = 1;

and recompile.  This will at least test the hypothesis !!!
If this works, then we can adjust autoconf, Makefile.in, and the code to correct the error where pcap is saying that the interface is selectable when it may not be.

Carter



> On Oct 7, 2015, at 5:18 PM, Craig Merchant <craig.merchant at oracle.com> wrote:
> 
> I’m cc:’ing Luca Deri from NTOP since he has been helping me with this on a thread on the NTOP mailing list.
>  
> I guess the first question to Luca is do the ZC drivers support select()?  
>  
> I’ll be honest, “socket descriptor” talk is a little above my head.  And I’ve run gdb() before, but only with explicit instructions from a vendor.  I’m competent with Linux, but I’m definitely not a ninja.
>  
> I’d appreciate any suggestions.  It’s way beyond the call of duty, but should you feel like doing a webex to do some troubleshooting in my environment, that is an option.
>  
> Thanks again for such great support to the Argus community.
>  
> C
>  
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: Wednesday, October 07, 2015 1:15 PM
> To: Craig Merchant
> Cc: Argus
> Subject: Re: [ARGUS] Argus and PF_RING ZC drivers
>  
> Hey Craig,
> In all of that this line is the most important:
>  
> argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:14.203268 ArgusGetPackets: interface  is selectable
>  
> If you are not getting packets, its more than likely because the above statement is incorrect.  If we hang our packet capture socket descriptor on a system select() call, and the interface doesn’t support select(), we’ll not get anything from the descriptor.
>  
> I’ll look at this later tonight and offer some suggestions.
> How are your gdb() skills ???
>  
> Carter
>  
> On Oct 7, 2015, at 3:10 PM, Craig Merchant <craig.merchant at oracle.com> wrote:
>  
> Progress!
> 
> I added the pf_ring and their libpcap libraries to the Makefile and it compiled successfully.  When I start Argus, I don't get any complaints that the hardware interface is unknown.  But I also don't see the "interface up" message.  I ran Argus with -D 4 and this is what I see (interface is zc:10 at 4):
> 
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187410 ArgusNewModeler() returning 0x7f4f94267010
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187508 ArgusNewSource(0x7f4f94267010) returning 0x7f4f933ec010
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187520 ArgusNewQueue () returning 0xcd41b0
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187528 ArgusNewList () returning 0xcd42a0
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187533 ArgusNewList () returning 0xcd4340
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187538 ArgusNewOutput() returning retn 0xcd4050
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187549 setArgusMarReportInterval(60) returning
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187584 setArgusID(0x7f4f933ec010, 0x7ffe529b2612, 0x21) done
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187599 ArgusNewList () returning 0xcd4620
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187606 ArgusParseResourceFile: ArgusBindAddr "(null)"
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187613 setArgusPortNum(561) returning
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187618 clearArgusDevice(0x7f4f933ec010) returning
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187625 ArgusNewList () returning 0xcd46e0
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187633 setArgusDevice(zc:10 at 4) returning
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187672 ArgusParseResourceFile (/etc/argus.conf) returning
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187684 clearArgusDevice(0x7f4f933ec010) returning
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187691 setArgusDevice(zc:10 at 4 ) returning
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187696 setArgusInterfaceStatus(0x7f4f933ec010, 1)
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195096 ArgusGenerateInitialMar() returning
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195135 ArgusEstablishListen(0xcd4050, 0x7ffe529b2600) binding: 10.86.21.22:561 family: 2
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195159 ArgusEstablishListen(0xcd4050, 0x7ffe529b2600) returning 3
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195194 ArgusInitOutput() done
>    ArgusAlert: 07 Oct 15 19:07:14.195209 started
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195223 ArgusNewList () returning 0xd84820
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195233 ArgusCloneSource(0x7f4f933ec010) returning 0x7f4f921c7010
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195239 clearArgusDevice(0x7f4f921c7010) returning
> argus[28919.0027dd924f7f0000]: 07 Oct 15 19:07:14.195246 ArgusOutputProcess(0xcd4050) starting
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.202747 Arguslookup_pcap_callback(1) returning 0x40ee9d
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.202763 ArgusOpenInterface(0x7f4f921c7010, 'zc:10 at 4') returning 1
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.203133 ArgusNewHashTable (65536) returning 0xd95840
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.203145 ArgusNewQueue () returning 0xd95900
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.203150 ArgusNewQueue () returning 0xd959a0
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.203171 ArgusInitModeler(0x7f4f94155010) done
> argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.203176 ArgusInitSource(0x7f4f921c7010) returning 1
> argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:14.203238 ArgusGetPackets (0x7f4f921c7010) starting
> argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:14.203260 setArgusInterfaceStatus(0x7f4f921c7010, 1)
> argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:14.203268 ArgusGetPackets: interface  is selectable
> argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:14.203273 setArgusInterfaceStatus(0x7f4f921c7010, 1)
> argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:14.403498 setArgusInterfaceStatus(0x7f4f921c7010, 1)
> argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:14.904031 setArgusInterfaceStatus(0x7f4f921c7010, 1)
> argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:15.404562 setArgusInterfaceStatus(0x7f4f921c7010, 1)
> 
> Any thoughts on what's happening here?  Let me know if you need a more intense debug output.
> 
> Thanks!
> 
> -----Original Message-----
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: Tuesday, October 06, 2015 8:50 PM
> To: Craig Merchant
> Cc: Argus
> Subject: Re: [ARGUS] Argus and PF_RING ZC drivers
> 
> Hey Craig,
> Add your library to the end of the “LIB” variable that’s on line 87 of the ./argus/Makefile (not the Makefile.in).
> On my system the definition of LIB in Makefile is:
> 
> LIB =  ../lib/libpcap.a  $(WRAPLIBS) $(SASLLIBS) $(COMPATLIB) ../lib/argus_common.a -lm 
> 
> Add this to the end…
> 
> LIB =  ../lib/libpcap.a  $(WRAPLIBS) $(SASLLIBS) $(COMPATLIB) ../lib/argus_common.a -lm /opt/PF_RING/userland/lib/libpfring.a
> 
> Hopefully that will work for you ...
> 
> Carter
> 
> 
> 
> On Oct 6, 2015, at 8:11 PM, Craig Merchant <craig.merchant at oracle.com> wrote:
> 
> I’ve looked through the Makefile and I honestly have no idea how to add those libraries to it.  Can you point me in the right direction?
> 
> Thx.
> 
> C
> 
> From: Carter Bullard [mailto:carter at qosient.com]
> Sent: Tuesday, October 06, 2015 3:46 PM
> To: Craig Merchant
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] Argus and PF_RING ZC drivers
> 
> Hey Craig,
> Just edit the Makefile in ./argus to add the library.  Better to do it by hand that to try to get automaker to figure it out, at least in the short term !!
> You are in uncharted waters for me ... but I'll make any changes needed !!!
> Carter
> 
> 
> 
> Carter Bullard • CTO
> 150 E 57th Street Suite 12D
> New York, New York 10022-2795
> Phone +1.212.588.9133 • Mobile +1.917.497.9494
> 
> On Oct 6, 2015, at 6:30 PM, Craig Merchant <craig.merchant at oracle.com> wrote:
> 
> I did some more digging around…  If I specify /opt/PF_RING/userland/libpcap/libpcap.a instead of just the directory, Argus finds what it needs and will complete the “make” process successfully.
> 
> Luca Deri from NTOP says I need to “ add /opt/PF_RING/userland/lib/libpfring.a after libpcap.a”.  I tried the following:
> 
> ./configure –with-libpcap=/opt/PF_RING/userland/libpcap 
> –with-pfring=/opt/PF_RING/userland/lib/libpfring.a
> 
> But that gives me a warning at the end:
> 
> configure: WARNING: unrecognized options: --with-pfring
> 
> How can I add the pfring files that the developer says are needed?
> 
> Thx.
> 
> C
> 
> From: Craig Merchant
> Sent: Tuesday, October 06, 2015 2:35 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] Argus and PF_RING ZC drivers
> 
> I tried compiling the Argus network flow tool against the libpcap libraries from pf_ring:
> 
> ./configure –with-libpcap=/opt/PF_RING/userland/libpcap
> 
> The configure script doesn’t throw any errors, but it doesn’t seem to find everything it wants:
> 
> checking for specified library... 
> /opt/PF_RING/userland/libpcap/libpcap.a
> checking for specified pcap.h... found checking for 
> pcap_list_datalinks... no checking for pcap_set_datalink... no 
> checking for pcap_datalink_name_to_val... no checking for 
> pcap_set_buffer_size... no checking for pcap_fopen_offline... no 
> checking for pcap_get_selectable_fd... no checking for pcap_next_ex... 
> no checking for pcap_dump_ftell... no checking for pcap_dump_flush... 
> no
> 
> Running make, however, throws a ton of errors:
> 
> make[1]: Entering directory `/home/craig.merchant/argus-3.0.8.2.rc.2/argus'
> gcc -O -I. -I/opt/PF_RING/userland/libpcap -I./../include  -DHAVE_CONFIG_H -o ../bin/argus argus.o ArgusModeler.o ArgusSource.o ArgusUtil.o ArgusOutput.o ArgusUdp.o ArgusTcp.o ArgusIcmp.o ArgusIgmp.o ArgusEsp.o ArgusArp.o ArgusFrag.o ArgusUdt.o ArgusLcp.o ArgusIsis.o ArgusAuth.o Argus802.11.o ArgusApp.o ArgusEvents.o ArgusNetflow.o ArgusSflow.o  /opt/PF_RING/userland/libpcap/libpcap.a  -lpthread    -lm ../lib/argus_common.a -lm
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap.o): In function `pcap_breakloop':
> /opt/PF_RING/userland/libpcap/./pcap.c:882: undefined reference to `pfring_breakloop'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_read_packet':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1628: undefined reference to `pfring_recv'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_stats_linux':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:2071: undefined reference to `pfring_stats'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_cleanup_linux':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1088: undefined reference to `pfring_close'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_setfilter_linux_common':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:2630: undefined reference to `pfring_get_bound_device_ifindex'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_activate_linux':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1484: undefined reference to `pfring_enable_ring'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1485: undefined reference to `pfring_get_selectable_fd'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1316: undefined reference to `pfring_open'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1320: undefined reference to `pfring_set_socket_mode'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1347: undefined reference to `pfring_set_poll_watermark'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1345: undefined reference to `pfring_enable_rss_rehash'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1341: undefined reference to `pfring_set_application_name'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1325: undefined reference to `pfring_set_cluster'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1327: undefined reference to `pfring_set_cluster'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1329: undefined reference to `pfring_set_cluster'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1331: undefined reference to `pfring_set_cluster'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1333: undefined reference to `pfring_set_cluster'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o):/opt/PF_RING/use
> rland/libpcap/./pcap-linux.c:1335: more undefined references to 
> `pfring_set_cluster' follow
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_get_pfring_id':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:6377: undefined reference to `pfring_get_ring_id'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_watermark':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:6404: undefined reference to `pfring_set_poll_watermark'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_setdirection_linux':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:2733: undefined reference to `pfring_set_direction'
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:2733: undefined reference to `pfring_set_direction'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_inject_linux':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:2018: undefined reference to `pfring_send'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_appl_name_linux':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1502: undefined reference to `pfring_set_application_name'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_cluster':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:1508: undefined reference to `pfring_set_cluster'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_master_id':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:6383: undefined reference to `pfring_set_master_id'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_master':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:6389: undefined reference to `pfring_set_master'
> /opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_application_name':
> /opt/PF_RING/userland/libpcap/./pcap-linux.c:6395: undefined reference to `pfring_set_application_name'
> collect2: error: ld returned 1 exit status
> make[1]: *** [../bin/argus] Error 1
> make[1]: Leaving directory `/home/craig.merchant/argus-3.0.8.2.rc.2/argus'
> ### Done with /home/craig.merchant/argus-3.0.8.2.rc.2/argus
> ### Making in /home/craig.merchant/argus-3.0.8.2.rc.2/events
> make[1]: Entering directory `/home/craig.merchant/argus-3.0.8.2.rc.2/events'
> make[1]: Nothing to be done for `all'.
> make[1]: Leaving directory `/home/craig.merchant/argus-3.0.8.2.rc.2/events'
> ### Done with /home/craig.merchant/argus-3.0.8.2.rc.2/events
> 
> Any ideas what’s happening here?
> 
> Thx.
> 
> C
> 
> From: Alfredo Cardigliano [mailto:cardigliano at ntop.org]
> Sent: Tuesday, October 06, 2015 1:46 PM
> To: ntop-misc at listgateway.unipi.it
> Subject: Re: [Ntop-misc] How to make an application "PF_RING aware"
> 
> Hi Craig
> in order to run a pcap-based application on top of ZC, you need to 
> link it to our pf_ring-aware libpcap, that’s how the tcpdump included in pf_ring works.
> 
> Alfredo
> 
> On 06 Oct 2015, at 21:23, Craig Merchant <craig.merchant at oracle.com> wrote:
> 
> I’ve installed the ZC drivers on an OEL 7 server.  I’ve tried getting both Splunk Stream and Argus to read the ZC interfaces, but neither of them see traffic.  The tcpdump included with the OS can’t see traffic on those interfaces, but the one included with ZC can.
> 
> What does an application developer have to do to make an application see traffic on a ZC interface?  I’m not a developer, so feel free to use small words.  I’m just curious what the process is and how much work is required to add that functionality.
> 
> Thanks.
> 
> C
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc at listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
> 
> 
> -----Original Message-----
> From: Jesse Bowling [mailto:jessebowling at gmail.com]
> Sent: Tuesday, October 06, 2015 9:31 AM
> To: Craig Merchant
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] Argus and PF_RING ZC drivers
> 
> I'm experiencing a similar issue (at least it also applies to ZC drivers)...In my case I've worked around by having the included tcpdump read the interface, and write output to a FIFO pipe on the filesystem; I then have argus "read" that FIFO and generate data...i.e.:
> 
> mknod -p /tmp/argus
> tcpdump -nn -i zc:99 at 0 -s 1600 -w /tmp/argus argus -F /etc/argus.conf 
> -f -r /tmp/argus
> 
> It works, but I can't speak to the additional load that creates by using a FIFO...
> 
> Craig, you might try quoting your interface command line and using at least argus-3.0.8.2.rc.2...
> 
> Specifically, when I try to specify a ZC interface I I don't get any packets in:
> # argus -D 4 -F /etc/argus.conf -i 'zc:99 at 0'
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041453 
> ArgusNewModeler() returning 0x7fb5c4603010
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041569 
> ArgusNewSource(0x7fb5c4603010) returning 0x7fb5c30dd010
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041586 ArgusNewQueue 
> () returning 0x1a384a0
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041596 ArgusNewList 
> () returning 0x1a38540
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041606 ArgusNewList 
> () returning 0x1a385e0
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041613 
> ArgusNewOutput() returning retn 0x1a37a20
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041633 
> setArgusMarReportInterval(60) returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041715 
> setArgusPortNum(561) returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041731 ArgusNewList 
> () returning 0x1a388c0
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041741 ArgusParseResourceFile: ArgusBindAddr "(null)"
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041780 
> setArgusMarReportInterval(60) returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041847 
> ArgusParseResourceFile (/etc/argus.conf) returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041861 
> clearArgusDevice(0x7fb5c30dd010) returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041872 ArgusNewList 
> () returning 0x1a38680
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041882 
> setArgusDevice(zc:99 at 0 ) returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041890 
> setArgusInterfaceStatus(0x7fb5c30dd010, 1)
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055180 
> ArgusGenerateInitialMar() returning
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055246 
> ArgusEstablishListen(0x1a37a20, 0x7ffeb3610200) binding: 127.0.0.1:561 
> family: 2
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055276 
> ArgusEstablishListen(0x1a37a20, 0x7ffeb3610200) returning 3
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055322 ArgusInitOutput() done
>    ArgusAlert: 06 Oct 15 11:35:15.055346 started
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055363 ArgusNewList 
> () returning 0x1ae7de0
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055376 
> ArgusCloneSource(0x7fb5c30dd010) returning 0x7fb5c22c5010
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055385 
> clearArgusDevice(0x7fb5c22c5010) returning
> argus[6265.0007edc2b57f0000]: 06 Oct 15 11:35:15.055433 
> ArgusOutputProcess(0x1a37a20) starting
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064100 
> Arguslookup_pcap_callback(1) returning 0x417b0a
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064125 
> ArgusOpenInterface(0x7fb5c22c5010, 'zc:99 at 0') returning 1
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064829 
> ArgusNewHashTable (65536) returning 0x1af8d20
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064852 ArgusNewQueue 
> () returning 0x1af8de0
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064862 ArgusNewQueue 
> () returning 0x1af8e80
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064895 
> ArgusInitModeler(0x7fb5c44f1010) done
> argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064904 
> ArgusInitSource(0x7fb5c22c5010) returning 1
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.064951 
> ArgusGetPackets (0x7fb5c22c5010) starting
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.064986 
> setArgusInterfaceStatus(0x7fb5c22c5010, 1)
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.065003 
> ArgusGetPackets: interface  is selectable
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.065012 
> setArgusInterfaceStatus(0x7fb5c22c5010, 1)
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.265347 
> setArgusInterfaceStatus(0x7fb5c22c5010, 1)
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.765989 
> setArgusInterfaceStatus(0x7fb5c22c5010, 1)
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:16.266622 
> setArgusInterfaceStatus(0x7fb5c22c5010, 1)
> argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:16.767294 
> setArgusInterfaceStatus(0x7fb5c22c5010, 1) <snip; last line just 
> repeats indefinitely>
> 
> Cheers,
> 
> Jesse
> 
> 
> On 2015/10/6, at 11:07, Craig Merchant <craig.merchant at oracle.com> wrote:
> 
> Hey, Carter…
> 
> I’m trying to get Argus to recognize my PF_RING ZC interfaces, but it says it can’t find them.
> 
> I see the following at line 4436 of ArgusSource.c:
> 
>   if ((strstr(device->name, "dag")) || (strstr(device->name, "napa")) ||
>       (strstr(device->name, "dna")) || (strstr(device->name, "zc"))   ||
>      ((strstr(device->name, "eth")) && (strstr(device->name, 
> "@")))) {
> 
> It looks to me like you’ve compiled support for both ZC and the old DNA/libzero interfaces into Argus.  I’m running the following ZC client to fan out my network traffic:
> 
> zbalance_ipc -i enp48s0f0,enp48s0f1 -c 10 -n 4,1 -m 1 –d
> 
> That means my interfaces are zc:0, zc:1, zc:2, and zc:3 for the load balanced traffic and zc:4 for the second full copy of the traffic.  Argus doesn’t recognize any of them as valid interfaces:
> 
> ArgusWarning: 05 Oct 15 23:07:12.848794 ArgusOpenInterface zc:10 at 4: 
> SIOCGIFHWADDR: No such device
> 
> The tcpdump that ships with OEL 7 can’t see them either, but the pf_ring aware version that comes with the ZC drivers sees traffic on those interfaces.  
> 
> Is there something I can do to make Argus aware of the pf_ring ZC interfaces?
> 
> Thanks!
> 
> C

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20151007/f2985a22/attachment.html>


More information about the argus mailing list