Argus and PF_RING ZC drivers
Craig Merchant
craig.merchant at oracle.com
Mon Oct 12 14:23:41 EDT 2015
I tried disabling the select support, but Argus still couldn’t read anything of the pf_ring interface…
Thanks for everyone’s help giving this a shot!
C
From: Alfredo Cardigliano [mailto:cardigliano at ntop.org]
Sent: Sunday, October 11, 2015 2:07 AM
To: Carter Bullard
Cc: Luca Deri; Craig Merchant; Argus
Subject: Re: [ARGUS] Argus and PF_RING ZC drivers
Hi Carter
I had a look at ArgusSource.c, adding native pf_ring support would mess up the code
because pcap calls are mixed with the processing code and a lot of “if” are needed.
I do not know if it is worth the effort decoupling the packet capture part from the
processing part, in the same way the snort daq does. Probably improving the pfring
support through the pcap API would be enough.
Craig, did you try disabling the select support as recommended by Carter? If it solved
the issue I have a starting point for fixing the problem.
Thank you
Alfredo
On 09 Oct 2015, at 20:02, Carter Bullard <HYPERLINK "mailto:carter at qosient.com"carter at qosient.com> wrote:
Hey Luca,
Thanks for the email !!! Our source module has a lot of strategies for different sources, but we don’t have anything specific for PF_RING. We could use some real suggestions for handling pf_ring.
I don’t know if you would have an easy or difficult time working with the existing ./argus/ArgusSource.c routines, but if you have an interest, look at the approach we have in argus-3.0.8.2.rc.2 (http://qosient.com/argus/dev/argus-3.0.8.2.rc.2.tar.gz) for using pcap_next_ex(), and or pcap_dispatch(). If you have some suggestions, I’d be happy to incorporate them in argus. In our design, we can read many interfaces at a time, where the packets from different interfaces are treated independently for flow tracking or can be bound together based on some rules; such as these 2 interfaces are bonded, or these 2 interfaces represent 2 half duplex directions of a full duplex path .... That causes us to use a different approach than just a simple libpcap approach, but it shouldn’t be too difficult to follow what we’re doing.
Any suggestions (other than "this sucks") would be most appreciated !!!
Hope all is most excellent !!!!!
Carter
On Oct 8, 2015, at 3:40 PM, Luca Deri <HYPERLINK "mailto:deri at ntop.org"deri at ntop.org> wrote:
Hi all,
please let us know if you need support on our side and if you would be happy us to add native PF_RING support in Argus.
Regards Luca
On 08 Oct 2015, at 05:21, Carter Bullard <HYPERLINK "mailto:carter at qosient.com"carter at qosient.com> wrote:
The fastest test of the problem is to change the source so that it assumes that there is no select support. On line 3841 of ./argus/ArgusSource.c is a place where you can just state that the interface is notselectable.
Change these lines:
#if defined(ARGUS_PLURIBUS)
int notselectable = 1;
#else
int notselectable = 0;
#endif
to:
int notselectable = 1;
and recompile. This will at least test the hypothesis !!!
If this works, then we can adjust autoconf, Makefile.in, and the code to correct the error where pcap is saying that the interface is selectable when it may not be.
Carter
On Oct 7, 2015, at 5:18 PM, Craig Merchant <HYPERLINK "mailto:craig.merchant at oracle.com"craig.merchant at oracle.com> wrote:
I’m cc:’ing Luca Deri from NTOP since he has been helping me with this on a thread on the NTOP mailing list.
I guess the first question to Luca is do the ZC drivers support select()?
I’ll be honest, “socket descriptor” talk is a little above my head. And I’ve run gdb() before, but only with explicit instructions from a vendor. I’m competent with Linux, but I’m definitely not a ninja.
I’d appreciate any suggestions. It’s way beyond the call of duty, but should you feel like doing a webex to do some troubleshooting in my environment, that is an option.
Thanks again for such great support to the Argus community.
C
From: Carter Bullard [mailto:carter at qosient.com]
Sent: Wednesday, October 07, 2015 1:15 PM
To: Craig Merchant
Cc: Argus
Subject: Re: [ARGUS] Argus and PF_RING ZC drivers
Hey Craig,
In all of that this line is the most important:
argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:14.203268 ArgusGetPackets: interface is selectable
If you are not getting packets, its more than likely because the above statement is incorrect. If we hang our packet capture socket descriptor on a system select() call, and the interface doesn’t support select(), we’ll not get anything from the descriptor.
I’ll look at this later tonight and offer some suggestions.
How are your gdb() skills ???
Carter
On Oct 7, 2015, at 3:10 PM, Craig Merchant <HYPERLINK "mailto:craig.merchant at oracle.com"craig.merchant at oracle.com> wrote:
Progress!
I added the pf_ring and their libpcap libraries to the Makefile and it compiled successfully. When I start Argus, I don't get any complaints that the hardware interface is unknown. But I also don't see the "interface up" message. I ran Argus with -D 4 and this is what I see (interface is zc:10 at 4):
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187410 ArgusNewModeler() returning 0x7f4f94267010
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187508 ArgusNewSource(0x7f4f94267010) returning 0x7f4f933ec010
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187520 ArgusNewQueue () returning 0xcd41b0
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187528 ArgusNewList () returning 0xcd42a0
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187533 ArgusNewList () returning 0xcd4340
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187538 ArgusNewOutput() returning retn 0xcd4050
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187549 setArgusMarReportInterval(60) returning
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187584 setArgusID(0x7f4f933ec010, 0x7ffe529b2612, 0x21) done
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187599 ArgusNewList () returning 0xcd4620
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187606 ArgusParseResourceFile: ArgusBindAddr "(null)"
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187613 setArgusPortNum(561) returning
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187618 clearArgusDevice(0x7f4f933ec010) returning
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187625 ArgusNewList () returning 0xcd46e0
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187633 setArgusDevice(zc:10 at 4) returning
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187672 ArgusParseResourceFile (/etc/argus.conf) returning
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187684 clearArgusDevice(0x7f4f933ec010) returning
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187691 setArgusDevice(zc:10 at 4 ) returning
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.187696 setArgusInterfaceStatus(0x7f4f933ec010, 1)
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195096 ArgusGenerateInitialMar() returning
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195135 ArgusEstablishListen(0xcd4050, 0x7ffe529b2600) binding: 10.86.21.22:561 family: 2
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195159 ArgusEstablishListen(0xcd4050, 0x7ffe529b2600) returning 3
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195194 ArgusInitOutput() done
ArgusAlert: 07 Oct 15 19:07:14.195209 started
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195223 ArgusNewList () returning 0xd84820
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195233 ArgusCloneSource(0x7f4f933ec010) returning 0x7f4f921c7010
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.195239 clearArgusDevice(0x7f4f921c7010) returning
argus[28919.0027dd924f7f0000]: 07 Oct 15 19:07:14.195246 ArgusOutputProcess(0xcd4050) starting
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.202747 Arguslookup_pcap_callback(1) returning 0x40ee9d
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.202763 ArgusOpenInterface(0x7f4f921c7010, 'zc:10 at 4') returning 1
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.203133 ArgusNewHashTable (65536) returning 0xd95840
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.203145 ArgusNewQueue () returning 0xd95900
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.203150 ArgusNewQueue () returning 0xd959a0
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.203171 ArgusInitModeler(0x7f4f94155010) done
argus[28919.40872e944f7f0000]: 07 Oct 15 19:07:14.203176 ArgusInitSource(0x7f4f921c7010) returning 1
argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:14.203238 ArgusGetPackets (0x7f4f921c7010) starting
argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:14.203260 setArgusInterfaceStatus(0x7f4f921c7010, 1)
argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:14.203268 ArgusGetPackets: interface is selectable
argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:14.203273 setArgusInterfaceStatus(0x7f4f921c7010, 1)
argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:14.403498 setArgusInterfaceStatus(0x7f4f921c7010, 1)
argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:14.904031 setArgusInterfaceStatus(0x7f4f921c7010, 1)
argus[28919.00077a914f7f0000]: 07 Oct 15 19:07:15.404562 setArgusInterfaceStatus(0x7f4f921c7010, 1)
Any thoughts on what's happening here? Let me know if you need a more intense debug output.
Thanks!
-----Original Message-----
From: Carter Bullard [mailto:carter at qosient.com]
Sent: Tuesday, October 06, 2015 8:50 PM
To: Craig Merchant
Cc: Argus
Subject: Re: [ARGUS] Argus and PF_RING ZC drivers
Hey Craig,
Add your library to the end of the “LIB” variable that’s on line 87 of the ./argus/Makefile (not the Makefile.in).
On my system the definition of LIB in Makefile is:
LIB = ../lib/libpcap.a $(WRAPLIBS) $(SASLLIBS) $(COMPATLIB) ../lib/argus_common.a -lm
Add this to the end…
LIB = ../lib/libpcap.a $(WRAPLIBS) $(SASLLIBS) $(COMPATLIB) ../lib/argus_common.a -lm /opt/PF_RING/userland/lib/libpfring.a
Hopefully that will work for you ...
Carter
On Oct 6, 2015, at 8:11 PM, Craig Merchant <HYPERLINK "mailto:craig.merchant at oracle.com"craig.merchant at oracle.com> wrote:
I’ve looked through the Makefile and I honestly have no idea how to add those libraries to it. Can you point me in the right direction?
Thx.
C
From: Carter Bullard [mailto:carter at qosient.com]
Sent: Tuesday, October 06, 2015 3:46 PM
To: Craig Merchant
Cc: HYPERLINK "mailto:argus-info at lists.andrew.cmu.edu"argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] Argus and PF_RING ZC drivers
Hey Craig,
Just edit the Makefile in ./argus to add the library. Better to do it by hand that to try to get automaker to figure it out, at least in the short term !!
You are in uncharted waters for me ... but I'll make any changes needed !!!
Carter
Carter Bullard • CTO
150 E 57th Street Suite 12D
New York, New York 10022-2795
Phone +1.212.588.9133 • Mobile +1.917.497.9494
On Oct 6, 2015, at 6:30 PM, Craig Merchant <HYPERLINK "mailto:craig.merchant at oracle.com"craig.merchant at oracle.com> wrote:
I did some more digging around… If I specify /opt/PF_RING/userland/libpcap/libpcap.a instead of just the directory, Argus finds what it needs and will complete the “make” process successfully.
Luca Deri from NTOP says I need to “ add /opt/PF_RING/userland/lib/libpfring.a after libpcap.a”. I tried the following:
./configure –with-libpcap=/opt/PF_RING/userland/libpcap
–with-pfring=/opt/PF_RING/userland/lib/libpfring.a
But that gives me a warning at the end:
configure: WARNING: unrecognized options: --with-pfring
How can I add the pfring files that the developer says are needed?
Thx.
C
From: Craig Merchant
Sent: Tuesday, October 06, 2015 2:35 PM
To: HYPERLINK "mailto:argus-info at lists.andrew.cmu.edu"argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] Argus and PF_RING ZC drivers
I tried compiling the Argus network flow tool against the libpcap libraries from pf_ring:
./configure –with-libpcap=/opt/PF_RING/userland/libpcap
The configure script doesn’t throw any errors, but it doesn’t seem to find everything it wants:
checking for specified library...
/opt/PF_RING/userland/libpcap/libpcap.a
checking for specified pcap.h... found checking for
pcap_list_datalinks... no checking for pcap_set_datalink... no
checking for pcap_datalink_name_to_val... no checking for
pcap_set_buffer_size... no checking for pcap_fopen_offline... no
checking for pcap_get_selectable_fd... no checking for pcap_next_ex...
no checking for pcap_dump_ftell... no checking for pcap_dump_flush...
no
Running make, however, throws a ton of errors:
make[1]: Entering directory `/home/craig.merchant/argus-3.0.8.2.rc.2/argus'
gcc -O -I. -I/opt/PF_RING/userland/libpcap -I./../include -DHAVE_CONFIG_H -o ../bin/argus argus.o ArgusModeler.o ArgusSource.o ArgusUtil.o ArgusOutput.o ArgusUdp.o ArgusTcp.o ArgusIcmp.o ArgusIgmp.o ArgusEsp.o ArgusArp.o ArgusFrag.o ArgusUdt.o ArgusLcp.o ArgusIsis.o ArgusAuth.o Argus802.11.o ArgusApp.o ArgusEvents.o ArgusNetflow.o ArgusSflow.o /opt/PF_RING/userland/libpcap/libpcap.a -lpthread -lm ../lib/argus_common.a -lm
/opt/PF_RING/userland/libpcap/libpcap.a(pcap.o): In function `pcap_breakloop':
/opt/PF_RING/userland/libpcap/./pcap.c:882: undefined reference to `pfring_breakloop'
/opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_read_packet':
/opt/PF_RING/userland/libpcap/./pcap-linux.c:1628: undefined reference to `pfring_recv'
/opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_stats_linux':
/opt/PF_RING/userland/libpcap/./pcap-linux.c:2071: undefined reference to `pfring_stats'
/opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_cleanup_linux':
/opt/PF_RING/userland/libpcap/./pcap-linux.c:1088: undefined reference to `pfring_close'
/opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_setfilter_linux_common':
/opt/PF_RING/userland/libpcap/./pcap-linux.c:2630: undefined reference to `pfring_get_bound_device_ifindex'
/opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_activate_linux':
/opt/PF_RING/userland/libpcap/./pcap-linux.c:1484: undefined reference to `pfring_enable_ring'
/opt/PF_RING/userland/libpcap/./pcap-linux.c:1485: undefined reference to `pfring_get_selectable_fd'
/opt/PF_RING/userland/libpcap/./pcap-linux.c:1316: undefined reference to `pfring_open'
/opt/PF_RING/userland/libpcap/./pcap-linux.c:1320: undefined reference to `pfring_set_socket_mode'
/opt/PF_RING/userland/libpcap/./pcap-linux.c:1347: undefined reference to `pfring_set_poll_watermark'
/opt/PF_RING/userland/libpcap/./pcap-linux.c:1345: undefined reference to `pfring_enable_rss_rehash'
/opt/PF_RING/userland/libpcap/./pcap-linux.c:1341: undefined reference to `pfring_set_application_name'
/opt/PF_RING/userland/libpcap/./pcap-linux.c:1325: undefined reference to `pfring_set_cluster'
/opt/PF_RING/userland/libpcap/./pcap-linux.c:1327: undefined reference to `pfring_set_cluster'
/opt/PF_RING/userland/libpcap/./pcap-linux.c:1329: undefined reference to `pfring_set_cluster'
/opt/PF_RING/userland/libpcap/./pcap-linux.c:1331: undefined reference to `pfring_set_cluster'
/opt/PF_RING/userland/libpcap/./pcap-linux.c:1333: undefined reference to `pfring_set_cluster'
/opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o):/opt/PF_RING/use
rland/libpcap/./pcap-linux.c:1335: more undefined references to
`pfring_set_cluster' follow
/opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_get_pfring_id':
/opt/PF_RING/userland/libpcap/./pcap-linux.c:6377: undefined reference to `pfring_get_ring_id'
/opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_watermark':
/opt/PF_RING/userland/libpcap/./pcap-linux.c:6404: undefined reference to `pfring_set_poll_watermark'
/opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_setdirection_linux':
/opt/PF_RING/userland/libpcap/./pcap-linux.c:2733: undefined reference to `pfring_set_direction'
/opt/PF_RING/userland/libpcap/./pcap-linux.c:2733: undefined reference to `pfring_set_direction'
/opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_inject_linux':
/opt/PF_RING/userland/libpcap/./pcap-linux.c:2018: undefined reference to `pfring_send'
/opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_appl_name_linux':
/opt/PF_RING/userland/libpcap/./pcap-linux.c:1502: undefined reference to `pfring_set_application_name'
/opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_cluster':
/opt/PF_RING/userland/libpcap/./pcap-linux.c:1508: undefined reference to `pfring_set_cluster'
/opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_master_id':
/opt/PF_RING/userland/libpcap/./pcap-linux.c:6383: undefined reference to `pfring_set_master_id'
/opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_master':
/opt/PF_RING/userland/libpcap/./pcap-linux.c:6389: undefined reference to `pfring_set_master'
/opt/PF_RING/userland/libpcap/libpcap.a(pcap-linux.o): In function `pcap_set_application_name':
/opt/PF_RING/userland/libpcap/./pcap-linux.c:6395: undefined reference to `pfring_set_application_name'
collect2: error: ld returned 1 exit status
make[1]: *** [../bin/argus] Error 1
make[1]: Leaving directory `/home/craig.merchant/argus-3.0.8.2.rc.2/argus'
### Done with /home/craig.merchant/argus-3.0.8.2.rc.2/argus
### Making in /home/craig.merchant/argus-3.0.8.2.rc.2/events
make[1]: Entering directory `/home/craig.merchant/argus-3.0.8.2.rc.2/events'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory `/home/craig.merchant/argus-3.0.8.2.rc.2/events'
### Done with /home/craig.merchant/argus-3.0.8.2.rc.2/events
Any ideas what’s happening here?
Thx.
C
From: Alfredo Cardigliano [mailto:cardigliano at ntop.org]
Sent: Tuesday, October 06, 2015 1:46 PM
To: HYPERLINK "mailto:ntop-misc at listgateway.unipi.it"ntop-misc at listgateway.unipi.it
Subject: Re: [Ntop-misc] How to make an application "PF_RING aware"
Hi Craig
in order to run a pcap-based application on top of ZC, you need to
link it to our pf_ring-aware libpcap, that’s how the tcpdump included in pf_ring works.
Alfredo
On 06 Oct 2015, at 21:23, Craig Merchant <HYPERLINK "mailto:craig.merchant at oracle.com"craig.merchant at oracle.com> wrote:
I’ve installed the ZC drivers on an OEL 7 server. I’ve tried getting both Splunk Stream and Argus to read the ZC interfaces, but neither of them see traffic. The tcpdump included with the OS can’t see traffic on those interfaces, but the one included with ZC can.
What does an application developer have to do to make an application see traffic on a ZC interface? I’m not a developer, so feel free to use small words. I’m just curious what the process is and how much work is required to add that functionality.
Thanks.
C
_______________________________________________
Ntop-misc mailing list
HYPERLINK "mailto:Ntop-misc at listgateway.unipi.it"Ntop-misc at listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
-----Original Message-----
From: Jesse Bowling [mailto:jessebowling at gmail.com]
Sent: Tuesday, October 06, 2015 9:31 AM
To: Craig Merchant
Cc: HYPERLINK "mailto:argus-info at lists.andrew.cmu.edu"argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] Argus and PF_RING ZC drivers
I'm experiencing a similar issue (at least it also applies to ZC drivers)...In my case I've worked around by having the included tcpdump read the interface, and write output to a FIFO pipe on the filesystem; I then have argus "read" that FIFO and generate data...i.e.:
mknod -p /tmp/argus
tcpdump -nn -i zc:99 at 0 -s 1600 -w /tmp/argus argus -F /etc/argus.conf
-f -r /tmp/argus
It works, but I can't speak to the additional load that creates by using a FIFO...
Craig, you might try quoting your interface command line and using at least argus-3.0.8.2.rc.2...
Specifically, when I try to specify a ZC interface I I don't get any packets in:
# argus -D 4 -F /etc/argus.conf -i 'zc:99 at 0'
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041453
ArgusNewModeler() returning 0x7fb5c4603010
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041569
ArgusNewSource(0x7fb5c4603010) returning 0x7fb5c30dd010
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041586 ArgusNewQueue
() returning 0x1a384a0
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041596 ArgusNewList
() returning 0x1a38540
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041606 ArgusNewList
() returning 0x1a385e0
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041613
ArgusNewOutput() returning retn 0x1a37a20
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041633
setArgusMarReportInterval(60) returning
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041715
setArgusPortNum(561) returning
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041731 ArgusNewList
() returning 0x1a388c0
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041741 ArgusParseResourceFile: ArgusBindAddr "(null)"
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041780
setArgusMarReportInterval(60) returning
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041847
ArgusParseResourceFile (/etc/argus.conf) returning
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041861
clearArgusDevice(0x7fb5c30dd010) returning
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041872 ArgusNewList
() returning 0x1a38680
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041882
setArgusDevice(zc:99 at 0 ) returning
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.041890
setArgusInterfaceStatus(0x7fb5c30dd010, 1)
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055180
ArgusGenerateInitialMar() returning
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055246
ArgusEstablishListen(0x1a37a20, 0x7ffeb3610200) binding: 127.0.0.1:561
family: 2
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055276
ArgusEstablishListen(0x1a37a20, 0x7ffeb3610200) returning 3
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055322 ArgusInitOutput() done
ArgusAlert: 06 Oct 15 11:35:15.055346 started
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055363 ArgusNewList
() returning 0x1ae7de0
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055376
ArgusCloneSource(0x7fb5c30dd010) returning 0x7fb5c22c5010
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.055385
clearArgusDevice(0x7fb5c22c5010) returning
argus[6265.0007edc2b57f0000]: 06 Oct 15 11:35:15.055433
ArgusOutputProcess(0x1a37a20) starting
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064100
Arguslookup_pcap_callback(1) returning 0x417b0a
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064125
ArgusOpenInterface(0x7fb5c22c5010, 'zc:99 at 0') returning 1
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064829
ArgusNewHashTable (65536) returning 0x1af8d20
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064852 ArgusNewQueue
() returning 0x1af8de0
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064862 ArgusNewQueue
() returning 0x1af8e80
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064895
ArgusInitModeler(0x7fb5c44f1010) done
argus[6265.404768c4b57f0000]: 06 Oct 15 11:35:15.064904
ArgusInitSource(0x7fb5c22c5010) returning 1
argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.064951
ArgusGetPackets (0x7fb5c22c5010) starting
argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.064986
setArgusInterfaceStatus(0x7fb5c22c5010, 1)
argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.065003
ArgusGetPackets: interface is selectable
argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.065012
setArgusInterfaceStatus(0x7fb5c22c5010, 1)
argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.265347
setArgusInterfaceStatus(0x7fb5c22c5010, 1)
argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:15.765989
setArgusInterfaceStatus(0x7fb5c22c5010, 1)
argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:16.266622
setArgusInterfaceStatus(0x7fb5c22c5010, 1)
argus[6265.00d783c1b57f0000]: 06 Oct 15 11:35:16.767294
setArgusInterfaceStatus(0x7fb5c22c5010, 1) <snip; last line just
repeats indefinitely>
Cheers,
Jesse
On 2015/10/6, at 11:07, Craig Merchant <HYPERLINK "mailto:craig.merchant at oracle.com"craig.merchant at oracle.com> wrote:
Hey, Carter…
I’m trying to get Argus to recognize my PF_RING ZC interfaces, but it says it can’t find them.
I see the following at line 4436 of ArgusSource.c:
if ((strstr(device->name, "dag")) || (strstr(device->name, "napa")) ||
(strstr(device->name, "dna")) || (strstr(device->name, "zc")) ||
((strstr(device->name, "eth")) && (strstr(device->name,
"@")))) {
It looks to me like you’ve compiled support for both ZC and the old DNA/libzero interfaces into Argus. I’m running the following ZC client to fan out my network traffic:
zbalance_ipc -i enp48s0f0,enp48s0f1 -c 10 -n 4,1 -m 1 –d
That means my interfaces are zc:0, zc:1, zc:2, and zc:3 for the load balanced traffic and zc:4 for the second full copy of the traffic. Argus doesn’t recognize any of them as valid interfaces:
ArgusWarning: 05 Oct 15 23:07:12.848794 ArgusOpenInterface zc:10 at 4:
SIOCGIFHWADDR: No such device
The tcpdump that ships with OEL 7 can’t see them either, but the pf_ring aware version that comes with the ZC drivers sees traffic on those interfaces.
Is there something I can do to make Argus aware of the pf_ring ZC interfaces?
Thanks!
C
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20151012/e00592f9/attachment.html>
More information about the argus
mailing list