headers
Carter Bullard | 1 May 2002 14:02

RE: listening on multiple interfaces

Hey Jeff,
   Argus has the big performance relevant TCP metrics
in each record.  Besides having bytes, pkts and application bytes,
argus also has retransmitted pkts and bytes, last
advertised window size, last seq number, along with the DS-Bytes,
VLAN tags, etc, so you should be able to do some analysis just
with Argus data.  This data is generated by default, so you've
already got a lot of TCP performance data in your argus archive,
if you've started one.

   Argus can also give you burst timing metrics, if you've got
ARGUS_GENERATE_JITTER_DATA=yes in your argus.conf file.  This
will give you mean, stdev, min and max interpacket arrival times,
for when TCP is in the window (Active) and when its outside its
window (Idle), so you can see the burst behavior when its
transmitting and see the inter-window gaps, while its waiting
for Acks, etc.

   If your interested in measuring a specific TCP to death,
you can configure argus to generate flow status reports as
often as every millisecond ("-S 0.001") which can give you some
very interesting data, indeed.  And since you only generate
argus data when there is activity, you can leave a sub-second
argus running for extended times.

 Use raxml to printout all the fields.  If you have any
questions, please send more mail!!!

Carter
(Continue reading)

Permalink | Reply | 0 comments |
headers
Carter Bullard | 3 May 2002 16:25

argus-2.0.5.tar.gz available

Gentle people,
   I've uploaded argus-2.0.5 to the dev directory.
This should be the release version of argus-2.0.5.
If you could please take a quick spin of this on your
particular architecture, to make sure that there aren't
any major problems, that would very much appreciated.
If it passes muster, I'll have the official release
and rpms up on Monday.

ftp://qosient.com/dev/argus-2.0/argus-2.0.5.tar.gz

Thanks for all the efforts!!

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter <at> qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com
Permalink | Reply | 2 comments |
headers
Jeffrey T Eaton | 3 May 2002 16:19
Picon

(unknown)

Approved: poeppingargus
>From owner-argus-info Fri May  3 03:17:53 2002
Message-ID: <3CD2399B.5FA7B9E4 <at> 2113.ch>
Date: Fri, 03 May 2002 09:17:47 +0200
From: Luc <luc <at> 2113.ch>
X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: argus-info <at> lists.andrew.cmu.edu
Subject: ARGUS and RRDTool
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi people,
I have done little work to have ARGUS data reported on a rrdtool graph.
Find an example here:
http://www.raxnet.net/board/viewtopic.php?t=378
I may be able to do a quick tutorial/howto if you need it.

Thanks for your great work !!!
Luc
Permalink | Reply | 0 comments |
headers
Harald Koch | 3 May 2002 18:04
Picon
Favicon
Gravatar

Re: argus-2.0.5.tar.gz available

> If you could please take a quick spin of this on your
> particular architecture, to make sure that there aren't
> any major problems, that would very much appreciated.

(1) I don't know if this is a known problem or not:

configure fails out-of-the-box with RedHat Linux 7.2. Argus has a
dependency on pcap-int.h, which is supposed to be an internal header
file, and is not exported in the libpcap RPM that ships with RH 7.2.

I took pcap-int.h out of several C files; the only one that fails is
common/gencode.c, which appears to be an old version of a file that is
distributed with libpcap.

As an outsider, this situation confuses me, but I guess there must be a
reason for it :-)

I downloaded the libpcap-0.6.2 source tree and built against that, and
everything built fine.

(2) I ran configure --prefix=/home/argus, but "make install" installed the
documentation files in /usr/share/doc/argus-2.0. Bad installer :-)

other than that, argus is working fine on my gateway box...

--

-- 
Harald Koch     <chk <at> pobox.com>

"It takes a child to raze a village."
		-Michael T. Fry
(Continue reading)

Permalink | Reply | 0 comments |
headers
Carter Bullard | 3 May 2002 18:28

RE: argus-2.0.5.tar.gz available

Hey Harald,
   Thanks for the e-mail.  Yes, there is a problem with RedHat
out of the box, as they don't distribute pcap-int.h.  I'm sure
that someone thinks that programs shouldn't rely on internal
structs, but the fact is that some routines in the libpcap
return references to 'struct pcap', a struct that has some
data that argus uses.  Unfortunately, this struct is defined
in pcap-int.h.

We use to distribute pcap-int.h in the argus
distribution, but the RedHat version, the argus version and
the current libpcap version of pcap-int.h were all different,
which was causing segmentation faults in argus on some
platforms.

   The gencode.c is actually much different from libpcap's.
We use the libpcap filter compiler that is in the libpcap
library to do the packet filtering for argus, but
we have our own filter compiler for argus to filter argus
records on output, which is a much different beast all together.
Since the syntax is similar, I just borrowed gencode.c and
started from there.

   The INSTALL file is pretty specific about the dependencies,
but I don't make a specific point about RedHat.  Maybe I should?

   Hmmmm, is there a problem with putting the docs in
/usr/share/doc?  That is the standard place, isn't it?
Would you rather it go to /home/argus/doc, /home/argus/share/doc?
(Continue reading)

Permalink | Reply | 0 comments |
headers
Harald Koch | 3 May 2002 19:18
Picon
Favicon
Gravatar

Re: argus-2.0.5.tar.gz available

[ snip ]

Ok, I understand the pcap-int.h issue. Thanks for the detailed
explanation!

>    The INSTALL file is pretty specific about the dependencies,
> but I don't make a specific point about RedHat.  Maybe I should?

Probably a good idea; there are a lot RedHat users out there :-)

>    Hmmmm, is there a problem with putting the docs in
> /usr/share/doc?  That is the standard place, isn't it?
> Would you rather it go to /home/argus/doc, /home/argus/share/doc?

I generally like to keep distribution software separate from stuff I
build myself; it makes it easier to perform OS upgrades.

I usually expect that if I specify a prefix to configure, everything
gets installed underneath that prefix. The default prefix should be
"/usr/local". To perform a system install (such as in an RPM) I would
use a prefix of "/usr".

So yes, I would expect ${prefix}/doc or ${prefix}/share/doc.

--

-- 
Harald Koch     <chk <at> pobox.com>

"It takes a child to raze a village."
		-Michael T. Fry
(Continue reading)

Permalink | Reply | 0 comments |
headers
Carter Bullard | 3 May 2002 19:49

RE: argus-2.0.5.tar.gz available

Hey Harald,
  $(prefix)/share/doc it is then.

Thanks,
Carter

> -----Original Message-----
> From: owner-argus-info <at> lists.andrew.cmu.edu 
> [mailto:owner-argus-info <at> lists.andrew.cmu.edu] On Behalf Of 
> Harald Koch
> Sent: Friday, May 03, 2002 1:18 PM
> To: carter <at> qosient.com
> Cc: 'Argus'
> Subject: Re: argus-2.0.5.tar.gz available 
> 
> 
> [ snip ]
> 
> Ok, I understand the pcap-int.h issue. Thanks for the 
> detailed explanation!
> 
> >    The INSTALL file is pretty specific about the 
> dependencies, but I 
> > don't make a specific point about RedHat.  Maybe I should?
> 
> Probably a good idea; there are a lot RedHat users out there :-)
> 
> >    Hmmmm, is there a problem with putting the docs in 
> /usr/share/doc?  
> > That is the standard place, isn't it? Would you rather it go to
(Continue reading)

Permalink | Reply | 0 comments |
headers
Yann Berthier | 3 May 2002 20:55

Re: argus-2.0.5.tar.gz available

On Fri, 03 May 2002, Carter Bullard wrote:

> Gentle people,
>    I've uploaded argus-2.0.5 to the dev directory.
> This should be the release version of argus-2.0.5.
> If you could please take a quick spin of this on your
> particular architecture, to make sure that there aren't
> any major problems, that would very much appreciated.
> If it passes muster, I'll have the official release
> and rpms up on Monday.
> 
> ftp://qosient.com/dev/argus-2.0/argus-2.0.5.tar.gz

   Hi Carter,

   The configure script fails to find the pcap headers on my system (in
   a rather standard location indeed: /usr/include ;-) ).

   Except this point, Argus seems to run fine for now. Nice work, as
   usual.

   Regards,

   - yann 

--

-- 
   Yann.Berthier <at> hsc.fr -*- HSC -*- http://www.hsc.fr/
Permalink | Reply | 0 comments |
headers
Carter Bullard | 3 May 2002 21:05

RE: argus-2.0.5.tar.gz available

Hey Yann,
   Thanks!  I've got the fixes done and I'll be uploading again
in a few minutes.

Carter

> -----Original Message-----
> From: owner-argus-info <at> lists.andrew.cmu.edu 
> [mailto:owner-argus-info <at> lists.andrew.cmu.edu] On Behalf Of 
> Yann Berthier
> Sent: Friday, May 03, 2002 2:56 PM
> To: Argus
> Subject: Re: argus-2.0.5.tar.gz available
> 
> 
> On Fri, 03 May 2002, Carter Bullard wrote:
> 
> > Gentle people,
> >    I've uploaded argus-2.0.5 to the dev directory.
> > This should be the release version of argus-2.0.5.
> > If you could please take a quick spin of this on your particular 
> > architecture, to make sure that there aren't any major 
> problems, that 
> > would very much appreciated. If it passes muster, I'll have the 
> > official release and rpms up on Monday.
> > 
> > ftp://qosient.com/dev/argus-2.0/argus-2.0.5.tar.gz
> 
>    Hi Carter,
>
(Continue reading)

Permalink | Reply | 1 comment |
headers
Carter Bullard | 6 May 2002 15:03

RedHat and debian libpcap problems

Hey Russell,
   Yes, you should install libpcap from source.  The
seg faulting problem that Argus was having on RedHat 7.2,
was due to a libpcap version mismatch.  Both libpcap-0.6.x
and libpcap-0.7.x appear to have the same PCAP_VERSION_MAJOR
and PCAP_VERSION_MINOR numbers, 2.4,  but the definition
of "struct pcap" changed between these two versions.  
"struct pcap" is returned by the routine pcap_open_live(),
and contains important stuff like the interface's file
descriptor, and other very important stuff like the name of
the device that was opened, etc....

Unfortunately, neither RedHat nor debian are distributing
the include file, pcap-int.h, that defines "struct pcap".
I have no idea why they are not distributing this file.  I
can imagine that someone maybe trying to enforce some kind
of interface separation, but that just makes the job harder.

So, to avoid the seg fault, Argus needs to understand which
version of "struct pcap" is being used.

Sorry for the inconvenience.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022
(Continue reading)

Permalink | Reply | 0 comments |

Gmane