Argus on FreeBSD

Eric Kinzie eric at qosient.com
Tue Jul 4 13:29:23 EDT 2017


On Tue Jul 04 13:22:58 -0400 2017, Carter Bullard wrote:
> Hmmm, it does seem very confusing … I suspect you have a few too many radium running …. Important to run only one you know ….
> 
> So, the ArgusInfo is coming from what, argus ????  So radium isn’t compiled with debug turned on ???  (Create a .debug file in the client root directory, ./configure, make etc. ) ...
> 
> Hope you have a great holiday.
> Carter


When I tried this on freebsd, getaddrinfo() returned AF_INET6 for
the address family in the first result.  "localhost" resolves to
127.0.0.1.  This is most likely the problem.  Add "-B 127.0.0.1"
or similar to the radium command line to get an IPv4 listener.

Eric



> > On Jul 4, 2017, at 1:14 PM, Monah Baki <monahbaki at gmail.com> wrote:
> > 
> > root at devsrvr:/usr/local/argus/sbin #   ./radium -XD 4 -S localhost:562 -P 561
> >      ArgusInfo: 04 Jul 17 13:14:01.449596 connect from localhost
> > 
> > 
> > On Tue, Jul 4, 2017 at 1:12 PM, Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>> wrote:
> > Hey Monah,
> > Seems like its not either in this case.  I suspect either a firewall rule or a tcp_wrappers issue.
> > You can run radium with -D4 and not the “-d” and let radium tell you want it going on ???
> > 
> >    ./radium -XD 4 -S localhost:562 -P 561
> > 
> > Carter
> > 
> >> On Jul 4, 2017, at 1:08 PM, Monah Baki <monahbaki at gmail.com <mailto:monahbaki at gmail.com>> wrote:
> >> 
> >> root at devsrvr:/usr/local/argus/bin # cat /etc/radium.conf
> >> RADIUM_CLASSIFIER_FILE=/etc/ralabel.conf
> >> 
> >> 
> >> Added the -X per your request,no luck.
> >> 
> >> root at devsrvr:/usr/local/argus/bin # ps -ax
> >> 59324  -  Ss      0:00.39 ./radium -XS localhost:562 -P 561 -d
> >> 59241  0  S       0:01.43 ./argus -s -m -U 256 -i em0 -P 562 -d
> >> 
> >> 
> >> No results while running, but still getting results on 562
> >>  ./ratop -S localhost:561 -s time saddr sport daddr dport sco dco suser:45 duser:30
> >> 
> >> Monah
> >> 
> >> On Tue, Jul 4, 2017 at 1:00 PM, Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>> wrote:
> >> Sure there isn’t an /etc/radium.conf file ??
> >> Just to be sure, try putting a ‘X’ as the first argument to radium.
> >> 
> >>    ./radium -XS localhost:562 -P 561 -d
> >> 
> >> Carter
> >> 
> >>> On Jul 4, 2017, at 12:31 PM, Monah Baki <monahbaki at gmail.com <mailto:monahbaki at gmail.com>> wrote:
> >>> 
> >>> Hi Carter,
> >>> 
> >>> This is what I am running (argus, radium and ratop) on the freebsd locally:
> >>> 
> >>>  ./argus -s -m -U 256 -i em0 -P 562 -d
> >>>  ./radium -S localhost:562 -P 561 -d
> >>> 
> >>> Now if I run on the freebsd locally:
> >>>  ./ratop -S localhost:562 
> >>> I get results
> >>> 
> >>> Else if I run
> >>>  ./ratop -S localhost:561
> >>> No results
> >>> 
> >>> Also if I run:
> >>> ./ratop -S 192.168.1.253:561 <http://192.168.1.253:561/> 
> >>> No results
> >>> 
> >>> I get none
> >>> 
> >>> Thanks
> >>> Monah
> >>> 
> >>> 
> >>> On Tue, Jul 4, 2017 at 11:53 AM, Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>> wrote:
> >>> You need to BIND to localhost, if you want to access via localhost.  If BIND is to a specific address, you’ll need to “-S “ to the address.  If you want to access from localhost and the specific IP address, don’t use BIND … use a firewall to control who can get to argus or radium.  With radium and argus running together, usually argus BINDS to localhost, so anything external to the machine has to go through radium.
> >>> 
> >>> The v6 vs v4 shouldn't really be an issue, both argus and radium put down a “generic” listen down on the port (layer 4), which the os can support on any transport layer it likes (layer 3), so either v4 or v6 works fine.
> >>> 
> >>> All clients will try both v6 and v4 when it tries to get a connection, this is controlled by the os, so it shouldn’t matter.
> >>> 
> >>> Hope all is most excellent,
> >>> Carter
> >>> 
> >>> 
> >>>> On Jul 4, 2017, at 11:38 AM, Monah Baki <monahbaki at gmail.com <mailto:monahbaki at gmail.com>> wrote:
> >>>> 
> >>>> root     radium     49424 3  tcp6   *:561                 *:*
> >>>> 
> >>>> 
> >>>> On Tue, Jul 4, 2017 at 11:37 AM, mike tancsa <mike at sentex.ca <mailto:mike at sentex.ca>> wrote:
> >>>> 
> >>>> Try
> >>>> sockstat | grep 561
> >>>> 
> >>>> to see what is bound on port 561 as it does not seem to be argus
> >>>> 
> >>>>         ---Mike
> >>>> 
> >>>> On 7/4/2017 11:29 AM, Monah Baki wrote:
> >>>> > root     argus      49407 3  tcp4   192.168.1.253:562 <http://192.168.1.253:562/>
> >>>> > <http://192.168.1.253:562 <http://192.168.1.253:562/>>     *:*
> >>>> > root     argus      49407 6  udp4   *:*                   *:*
> >>>> > root     argus      49407 7  tcp4   192.168.1.253:562 <http://192.168.1.253:562/>
> >>>> > <http://192.168.1.253:562 <http://192.168.1.253:562/>>     192.168.1.253:40196 <http://192.168.1.253:40196/>
> >>>> > <http://192.168.1.253:40196 <http://192.168.1.253:40196/>>
> >>>> >
> >>>> >
> >>>> > In my argus.conf, I did specify the IP address to bind to.
> >>>> > ARGUS_BIND_IP="192.168.1.253"
> >>>> >
> >>>> >
> >>>> >
> >>>> > Thanks
> >>>> > Monah
> >>>> >
> >>>> > On Tue, Jul 4, 2017 at 11:07 AM, Mike Tancsa <mike at sentex.net <mailto:mike at sentex.net>
> >>>> > <mailto:mike at sentex.net <mailto:mike at sentex.net>>> wrote:
> >>>> >
> >>>> >     On 7/3/2017 11:42 AM, Monah Baki wrote:
> >>>> >     >
> >>>> >     > Compiled yesterday argus 3.0.8.2 on FreeBSD 10.3-RELEASE-p18. I noticed
> >>>> >     > that running:
> >>>> >     >
> >>>> >     > netstat -an
> >>>> >     > tcp4       0      0 *.562
> >>>> >     > tcp6       0      0 *.561
> >>>> >
> >>>> >     > Is it possible that tcp6 might be the issue, not sure why it's running
> >>>> >     > on tcp6 when in my rc.cong I have the following:
> >>>> >     I usually tell it to bind to a specific IP in my argus config to make it
> >>>> >     more predictable. But what does
> >>>> >
> >>>> >     sockstat | grep argus
> >>>> >
> >>>> >     show ?
> >>>> >
> >>>> >             ---Mike
> >>>> >
> >>>> >
> >>>> >     --
> >>>> >     -------------------
> >>>> >     Mike Tancsa, tel +1 519 651 3400 <tel:%2B1%20519%20651%203400> <tel:%2B1%20519%20651%203400 <tel:%2B1%20519%20651%203400>>
> >>>> >     Sentex Communications, mike at sentex.net <mailto:mike at sentex.net> <mailto:mike at sentex.net <mailto:mike at sentex.net>>
> >>>> >     Providing Internet services since 1994 www.sentex.net <http://www.sentex.net/>
> >>>> >     <http://www.sentex.net <http://www.sentex.net/>>
> >>>> >     Cambridge, Ontario Canada   http://www.tancsa.com/ <http://www.tancsa.com/>
> >>>> >
> >>>> >
> >>>> 
> >>>> 
> >>> 
> >>> 
> >> 
> >> 
> > 
> > 
> 



More information about the argus mailing list