[ARGUS] Argus taking libpcap files from stdin

Forgive me if this has already been discussed -- I'm new to the list.

I noticed that the argus program will not take libpcap files from stdin.
For example, if I zcat a compressed tcpdump output file into argus, the
following fails:

	zcat tcp.2004080901.gz | ./argus -r - -w - | gzip > argus.log.gz

In the argus-2.0.6 code, line 228 of server/argus.c has a "fclose(stdin);",
which is keeping this from working.  Any reason this is there, or could we
possibly remove this line so that the above would work?

(I implemented a solution using named pipes, but have trouble getting argus
to exit once the input has finished for some reason).

Thanks!
Bill Guyton

$ diff -u server/argus.c.orig server/argus.c
--- server/argus.c.orig 2004-09-01 03:32:04.000000000 +0000
+++ server/argus.c      2004-09-01 03:44:47.000000000 +0000
 <at>  <at>  -225,7 +225,6  <at>  <at> 
    }

    ArgusProgramName = argv[0];
-   fclose(stdin);

    setArgusFarReportInterval (ARGUS_FARSTATUSTIMER);
    setArgusMarReportInterval (ARGUS_MARSTATUSTIMER);

Re: [ARGUS] Argus taking libpcap files from stdin

On Wed, Sep 01, 2004 at 03:58:54PM +1200, Russell Fulton wrote:

> On Wed, 2004-09-01 at 15:48, Bill Guyton wrote:

> > Forgive me if this has already been discussed -- I'm new to the list.
> > 
> > I noticed that the argus program will not take libpcap files from stdin.
> > For example, if I zcat a compressed tcpdump output file into argus, the
> > following fails:
> > 
> > 	zcat tcp.2004080901.gz | ./argus -r - -w - | gzip > argus.log.gz
> 
> ra will read gz file directly have you tried 
> 
> argus -r tcp.2004080901.gz
> 
> -- 
> Russell Fulton, Information Security Officer, The University of Auckland
> New Zealand

Thanks, Russell!  I didn't know that -- it may come in handy.

Unfortunately, I oversimplified my example.  What I've actually working on
is a tcpdump-like process listening on a live interface that dynamically
adjusts its pcap filter based on certain events.  What I really want to
do is to be able to pipe directly into argus if at all possible and avoid
writing to disk.

Would getting rid of the fclose(stdin) break anything, as far as anyone
knows?

Re: [ARGUS] Argus taking libpcap files from stdin

I responded off list pointing out that ra reads .gz files and that I was
not sure if argus did too.  Bill has come back with more info so I'm
sending this reply to the list.

On Wed, 2004-09-01 at 16:12, Bill Guyton wrote:

> Thanks, Russell!  I didn't know that -- it may come in handy.
>                                                                                 
> Unfortunately, I oversimplified my example.  What I've actually working on
> is a tcpdump-like process listening on a live interface that dynamically
> adjusts its pcap filter based on certain events.  What I really want to
> do is to be able to pipe directly into argus if at all possible and avoid
> writing to disk.
>                                                                           
> Would getting rid of the fclose(stdin) break anything, as far as anyone
> knows?

That's one for Carter I think!

--

-- 
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand

Re: [ARGUS] Argus taking libpcap files from stdin

On Wed, Sep 01, 2004 at 04:51:27PM +1200, Russell Fulton wrote:
> I responded off list pointing out that ra reads .gz files and that I was
> not sure if argus did too.  Bill has come back with more info so I'm
> sending this reply to the list.
> 

I think from memory, argus won't read compressed tcpdump files. I recall
lamenting that fact when I had bogloads of compressed tcpdump files to
conver to argus log files.

regards

Andrew

Re: [ARGUS] Argus taking libpcap files from stdin

On Thu, 2004-09-02 at 01:37, Andrew Pollock wrote:
> On Wed, Sep 01, 2004 at 04:51:27PM +1200, Russell Fulton wrote:
> > I responded off list pointing out that ra reads .gz files and that I was
> > not sure if argus did too.  Bill has come back with more info so I'm
> > sending this reply to the list.
> > 
> 
> I think from memory, argus won't read compressed tcpdump files. I recall
> lamenting that fact when I had bogloads of compressed tcpdump files to
> conver to argus log files.

In that case I think it is time I contributed another patch to the
project ;)  I patched ra and friends long ago to read compressed files.

--

-- 
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand

[ARGUS] Bus Error (core dumped) on Solaris 8

Anyone successfully run ra 2.0.6 (fixes.1) on Sol8? 
Argus appears to work well, but ra dumps core under certain conditions.
I was able to successfully compile ra without any major difficulties 
(make install errors in places). 
ra dumps when attempting to read an Argus file (-r) or stdin.  Likewise 
with the other ra* binaries.
ra does seem to function properly when using the -S option to attach to 
the Argus socket. 

Also,  can anyone explain what the ra -s output "load" and "rate" 
represent and how they are calculated?  I'm interested in monitoring 
latency, loss, and jitter passively in my network using Argus ....
Thanks,
Tate

Re: [ARGUS] Bus Error (core dumped) on Solaris 8

Hey Tate,
   Sounds very similar to problems seen on 64-bit machines.
Argus-2.0.6, unfortunately, is not 64-bit ready, (slated
for argus-2.0.7 which is coming along).  Is this a possibility?

Carter

> From: "C. Tate Baumrucker" <tate.baumrucker <at> callisma.com>
> Date: Tue, 07 Sep 2004 17:11:15 -0400
> To: <argus-info <at> lists.andrew.cmu.edu>
> Subject: [ARGUS] Bus Error (core dumped) on Solaris 8
> 
> Anyone successfully run ra 2.0.6 (fixes.1) on Sol8?
> Argus appears to work well, but ra dumps core under certain conditions.
> I was able to successfully compile ra without any major difficulties
> (make install errors in places).
> ra dumps when attempting to read an Argus file (-r) or stdin.  Likewise
> with the other ra* binaries.
> ra does seem to function properly when using the -S option to attach to
> the Argus socket.
> 
> Also,  can anyone explain what the ra -s output "load" and "rate"
> represent and how they are calculated?  I'm interested in monitoring
> latency, loss, and jitter passively in my network using Argus ....
> Thanks,
> Tate
> 
> 
> 

Re: [ARGUS] Bus Error (core dumped) on Solaris 8

Re: [ARGUS] Bus Error (core dumped) on Solaris 8

[ARGUS] undesirable ra behaviour

	I haven't gotten further than "hmmm, thats undesirable, I should do 
something about that", but ra appears to be spawning zombies on FreeBSD. This
is a perl script running ra against a month's worth of archive files one at a
time. ra appears to be creating a zombie on every invocation. They go away 
when the script ends but the possibility of filling the process table 
presumably exists.

USER     PID  PPID  PGID   SESS JOBC STAT  TT       TIME COMMAND

vanepp   309   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   313   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   317   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   321   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   325   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   332   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   336   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   340   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   344   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   348   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   355   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   359   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   363   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   367   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   374   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   378   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   382   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   389   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   393   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   397   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   404   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   408   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   414   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   421   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   425   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   429   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   433   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   437   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   447   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   451   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   455   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   459   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   466   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   470   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   474   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   481   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   485   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   489   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   496   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   500   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   504   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
vanepp   511   295   295 c2d50880    0 Z     ??    0:00.00  (ra)
...

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada