[ARGUS] argus5 radium and FreeBSD 13

mike tancsa mike at sentex.ca
Wed Oct 1 16:35:38 EDT 2025 

Hi Carter,

     I dont get any output.  This is indeed with argus v5 and clients 
v5. My radium config is


RADIUM_DEBUG_LEVEL=9
RADIUM_MAR_STATUS_INTERVAL=60
RADIUM_ARGUS_SERVER=10.111.111.45:561
RADIUM_OUTPUT_FILE=/argus-work/border5.arg

./radium -f ./border.conf

I dont get any debug output however.  If I comment out 
RADIUM_DEBUG_LEVEL=6 and start with same deal

./radium -D 6 -f ./border.conf


tcpdump shows traffic being sent to radium

16:21:47.009891 IP 192.168.129.252.65439 > 10.111.111.45.561: Flags [S], 
seq 738628393, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 
637469515 ecr 0], length 0
16:21:47.009898 IP 10.111.111.45.561 > 192.168.129.252.65439: Flags 
[S.], seq 2451415652, ack 738628394, win 65535, options [mss 
1460,nop,wscale 6,sackOK,TS val 3715939512 ecr 637469515], length 0
16:21:47.010013 IP 192.168.129.252.65439 > 10.111.111.45.561: Flags [.], 
ack 1, win 1027, options [nop,nop,TS val 637469515 ecr 3715939512], length 0
16:21:47.035742 IP 10.111.111.45.561 > 192.168.129.252.65439: Flags 
[P.], seq 1:129, ack 1, win 1027, options [nop,nop,TS val 3715939538 ecr 
637469515], length 128
16:21:47.036061 IP 192.168.129.252.65439 > 10.111.111.45.561: Flags 
[P.], seq 1:38, ack 129, win 1027, options [nop,nop,TS val 637469541 ecr 
3715939538], length 37
16:21:47.036164 IP 10.111.111.45.561 > 192.168.129.252.65439: Flags 
[P.], seq 129:401, ack 38, win 1027, options [nop,nop,TS val 3715939538 
ecr 637469541], length 272
16:21:47.036825 IP 10.111.111.45.561 > 192.168.129.252.65439: Flags 
[P.], seq 401:1969, ack 38, win 1027, options [nop,nop,TS val 3715939539 
ecr 637469541], length 1568
16:21:47.036846 IP 10.111.111.45.561 > 192.168.129.252.65439: Flags 
[P.], seq 1969:3537, ack 38, win 1027, options [nop,nop,TS val 
3715939539 ecr 637469541], length 1568
16:21:47.036866 IP 10.111.111.45.561 > 192.168.129.252.65439: Flags 
[P.], seq 3537:5161, ack 38, win 1027, options [nop,nop,TS val 
3715939539 ecr 637469541], length 1624
16:21:47.036887 IP 10.111.111.45.561 > 192.168.129.252.65439: Flags 
[P.], seq 5161:6797, ack 38, win 1027, options [nop,nop,TS val 
3715939539 ecr 637469541], length 1636
16:21:47.036907 IP 10.111.111.45.561 > 192.168.129.252.65439: Flags 
[P.], seq 6797:8345, ack 38, win 1027, options [nop,nop,TS val 
3715939539 ecr 637469541], length 1548
16:21:47.036921 IP 192.168.129.252.65439 > 10.111.111.45.561: Flags [.], 
ack 1849, win 1001, options [nop,nop,TS val 637469542 ecr 3715939538], 
length 0
16:21:47.036923 IP 192.168.129.252.65439 > 10.111.111.45.561: Flags [.], 
ack 3417, win 977, options [nop,nop,TS val 637469542 ecr 3715939539], 
length 0
16:21:47.036928 IP 10.111.111.45.561 > 192.168.129.252.65439: Flags 
[P.], seq 8345:9849, ack 38, win 1027, options [nop,nop,TS val 
3715939539 ecr 637469542], length 1504
16:21:47.036943 IP 10.111.111.45.561 > 192.168.129.252.65439: Flags 
[P.], seq 9849:11365, ack 38, win 1027, options [nop,nop,TS val 
3715939539 ecr 637469542], length 1516
16:21:47.036964 IP 192.168.129.252.65439 > 10.111.111.45.561: Flags [.], 
ack 4985, win 953, options [nop,nop,TS val 637469542 ecr 3715939539], 
length 0
16:21:47.036971 IP 10.111.111.45.561 > 192.168.129.252.65439: Flags 
[P.], seq 11365:12861, ack 38, win 1027, options [nop,nop,TS val 
3715939539 ecr 637469542], length 1496
16:21:47.036986 IP 10.111.111.45.561 > 192.168.129.252.65439: Flags 
[P.], seq 12861:14353, ack 38, win 1027, options [nop,nop,TS val 
3715939539 ecr 637469542], length 1492
16:21:47.037004 IP 10.111.111.45.561 > 192.168.129.252.65439: Flags 
[P.], seq 14353:15905, ack 38, win 1027, options [nop,nop,TS val 
3715939539 ecr 637469542], length 1552
16:21:47.037024 IP 10.111.111.45.561 > 192.168.129.252.65439: Flags 
[P.], seq 15905:17541, ack 38, win 1027, options [nop,nop,TS val 
3715939539 ecr 637469542], length 1636


  hexdump /argus-work/border5.arg
0000000 0000 2000 0000 0000 0000 0000 0000 0000
0000010 0000 0000 0000 0000 dd68 5b8d 0000 9d37
0000020 dd68 5b8d 0000 a637 0000 0000 0000 0000
0000030 0000 0000 0000 0000 0000 0000 0000 0000
*
0000070 0000 0000 0000 0000 0000 0000 ffff ffff
0000080

The collector on 10.111.111.45

./argus -v | head
Argus Version 5.0.0
usage: argus [options] [-i interface] [filter-expression]
usage: argus [options]  -r packetfile [filter-expression]

options: -A                      Generate application byte metrics.
          -b                      dump filter compiler output.
          -B <addr[,addr]>        specify bind interface address(s).
          -c <dir>                daemon chroot directory.
          -C                      run in control plane monitoring mode.
          -d                      run Argus in daemon mode.


built

./configure --without-gcc --prefix=/usr/local --without-sasl 
--without-examples CFLAGS="-g -O0"
gmake

file radium
radium: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), 
dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 13.5 
(1305502), FreeBSD-style, with debug_info, not stripped

     ---Mike

On 9/27/2025 4:05 PM, Carter Bullard wrote:
> Hey Mike,
> Sorry for the delayed response …
> Looks normal (except for all the missing libraries and files).  You connect to the remote argus source, send a START record, and you read the remote's Init Argus Record.
> But you then don’t seem to do anything.
>
> Is it possible that you are using argus v3 radium, but trying to read argus v5 data ?
> They are incompatible, and the local client will drop the connection.
>
> I would run the local radium with "-D 6” option … if compiled with the debug option,  it should say a few things about what it gets from the remote radium.
> If, other the other hand, it’s the case where you are expecting v5 records but getting v3, there is an option in the radium.conf file that you may want to change.
>
> Carter
>
>> On Sep 22, 2025, at 10:58 AM, mike tancsa <mike at sentex.ca> wrote:
>>
>> Has anyone gotten to work argus5 along with radium on FreeBSD 13 ? I started up the argus5 sensor on the FreeBSD box. argus5 seems to output ok to a local file. But when I get radium to try and attach from another host, nothing gets written on the radium side of things.  I can see the argus5 sensor sending data to the remote host.  From the truss output, it seems to be some threading issue (thread 618765 exited)?
>>
>>      ---Mike
>> <truss.txt>

More information about the argus mailing list