Re: Getting total traffic counts for a specific host

Hey David,
Sorry for the delayed response, just got back from vacation.

I would use rabins() to generate 6 hour bins of the data for your  
specific
machine.  Because you want metrics that apply to a single object, you'll
need to use the "rmon" option, to convert bi-directional flow data  
(which
involves two objects; the source and the destination) into RMON style
data, that involves only one object.  And you will only want to process
just the data that matches your hosts IP address or ethernet address,
depending on what you want to count.

This should do it for IP traffic:

    1.  rabins -M rmon -m saddr -M time 6h -R /path/to/data/2008/month \
               -w /tmp/argus.host.out - ip and host x.y.z.w

       A little explanation.  rabins(), with these options, will  
process all the
       data in a given month that involved ip host x.y.z.w.  The "-M  
rmon" option
       will condition the flow records so that aggregating the data  
based on just
       one of the IP addresses ("-m saddr") in the flow record,  
generates useful
       data.  And the scope of the aggregation will be 6 hour bins ( "- 
M time 6h").

       We write the output of rabins() into a temporary file "-w /tmp/ 

Argus 3.0 dies in daemon mode

Hi,

I'm upgrading to Argus 3.0.  I have installed the version from April  
18, 2008.  When I run it in foreground mode, it works fine, but when I  
try and start it as a daemon, it seems to die.  There is no seg fault  
and there are no messages in /var/log/messages.  OS is CentOS release  
5.2 (Final) (Linux 2.6.18-92.1.10.el5 #1 SMP Tue Aug 5 07:41:53 EDT  
2008 i686 i686 i386 GNU/Linux)

/var/log/messages:
Sep  3 15:33:31 argus kernel: device eth1 entered promiscuous mode
Sep  3 15:33:31 argus kernel: device eth1 left promiscuous mode

-D 8 gives the following output.
[root <at> argus argus-3.0.0]# ./bin/argus -F /etc/argus.conf -d -D 8
argus[21915]: 03 Sep 08 15:33:31.481669 ArgusCalloc (1, 704) returning  
0xa003008
argus[21915]: 03 Sep 08 15:33:31.481794 ArgusCalloc (1, 40) returning  
0xa003328
argus[21915]: 03 Sep 08 15:33:31.481811 ArgusNewList () returning  
0xa003328
argus[21915]: 03 Sep 08 15:33:31.481829 ArgusCalloc (1, 20) returning  
0xa003358
argus[21915]: 03 Sep 08 15:33:31.481849 ArgusCalloc (65536, 4)  
returning 0xb7ee2008
argus[21915]: 03 Sep 08 15:33:31.481865 ArgusNewHashTable (65536)  
returning 0xa003358
argus[21915]: 03 Sep 08 15:33:31.481882 ArgusCalloc (1, 104) returning  
0xa003370
argus[21915]: 03 Sep 08 15:33:31.481897 ArgusCalloc (1, 64) returning  

Re: Argus 3.0 dies in daemon mode

Hey Michael,
When argus goes into daemon mode, it closes stdout and stderr,
and the debug output stops (no place for it to go), so if there is an
error that causes argus to exit, but doesn't generate an ArgusLog
message, you will not see the error message.

Does this work at all?

     ./bin/argus -F /etc/argus.conf -D8 &

Try the argus-3.0.1 that is in the ftp://qosient.com/dev/argus-3.0
directory to see if things are any better.

Carter

On Sep 3, 2008, at 3:45 PM, Michael Grinnell wrote:

> Hi,
>
> I'm upgrading to Argus 3.0.  I have installed the version from April  
> 18, 2008.  When I run it in foreground mode, it works fine, but when  
> I try and start it as a daemon, it seems to die.  There is no seg  
> fault and there are no messages in /var/log/messages.  OS is CentOS  
> release 5.2 (Final) (Linux 2.6.18-92.1.10.el5 #1 SMP Tue Aug 5  
> 07:41:53 EDT 2008 i686 i686 i386 GNU/Linux)
>
> /var/log/messages:
> Sep  3 15:33:31 argus kernel: device eth1 entered promiscuous mode
> Sep  3 15:33:31 argus kernel: device eth1 left promiscuous mode
>

Re: Argus 3.0 dies in daemon mode

Carter,

./bin/argus -F /etc/argus.conf -D8 & works fine.  I'll try the dev  
version this evening and let you know.

Thanks,
Michael

On Sep 3, 2008, at 4:30 PM, Carter Bullard wrote:

> Hey Michael,
> When argus goes into daemon mode, it closes stdout and stderr,
> and the debug output stops (no place for it to go), so if there is an
> error that causes argus to exit, but doesn't generate an ArgusLog
> message, you will not see the error message.
>
> Does this work at all?
>
>    ./bin/argus -F /etc/argus.conf -D8 &
>
> Try the argus-3.0.1 that is in the ftp://qosient.com/dev/argus-3.0
> directory to see if things are any better.
>
> Carter
>
>
> On Sep 3, 2008, at 3:45 PM, Michael Grinnell wrote:
>
>> Hi,
>>

Re: Argus 3.0 dies in daemon mode

Hey Michael,
If you feel adventurous, comment out the two "freopen()" calls in  
argus.c,
recompile, and then see what kind of messages you get.  If you're not
that adventurous, take out the GENERATE_PID directive in the argus.conf
file.  You maybe getting a "Can't create PID directory/file" like  
error message.

Carter

On Sep 3, 2008, at 4:40 PM, Michael Grinnell wrote:

> Carter,
>
> ./bin/argus -F /etc/argus.conf -D8 & works fine.  I'll try the dev  
> version this evening and let you know.
>
> Thanks,
> Michael
>
>
> On Sep 3, 2008, at 4:30 PM, Carter Bullard wrote:
>
>> Hey Michael,
>> When argus goes into daemon mode, it closes stdout and stderr,
>> and the debug output stops (no place for it to go), so if there is an
>> error that causes argus to exit, but doesn't generate an ArgusLog
>> message, you will not see the error message.
>>
>> Does this work at all?

Re: Argus 3.0 dies in daemon mode

On Wed, Sep 03, 2008 at 05:05:46PM -0400, Carter Bullard wrote:
> 
> Hey Michael,
> If you feel adventurous, comment out the two "freopen()" calls in  
> argus.c,
> recompile, and then see what kind of messages you get.  If you're not
> that adventurous, take out the GENERATE_PID directive in the argus.conf
> file.  You maybe getting a "Can't create PID directory/file" like  
> error message.

I also experienced the same problem before. When argus runs as non-root
user, it cannnot create pid file. Very likely if you run argus using
startup script like one provided by OS (I don't know much about CentOS).

Argus should log something like "cannot open file: $!"
--

-- 
Tomoyuki Sakurai

Re: Argus 3.0 dies in daemon mode

It does seem to be a PID permissions issue.  Commenting out the  
ARGUS_SETUSER_ID and ARGUS_SETGROUP_ID fixes the issue.  Commenting  
out the freopen calls yields:
ArgusError: argus[27674]: 03 Sep 08 23:43:31.530640 daemon cannot  
create pid file

The default PID file location is /var/run, which is chmod 755 and  
chown root:root.

Does it try to create the PID file before set_uid or after?

Michael

On Sep 3, 2008, at 7:31 PM, Tomoyuki Sakurai wrote:

> On Wed, Sep 03, 2008 at 05:05:46PM -0400, Carter Bullard wrote:
>>
>> Hey Michael,
>> If you feel adventurous, comment out the two "freopen()" calls in
>> argus.c,
>> recompile, and then see what kind of messages you get.  If you're not
>> that adventurous, take out the GENERATE_PID directive in the  
>> argus.conf
>> file.  You maybe getting a "Can't create PID directory/file" like
>> error message.
>
> I also experienced the same problem before. When argus runs as non- 
> root
> user, it cannnot create pid file. Very likely if you run argus using
> startup script like one provided by OS (I don't know much about  

Re: Argus 3.0 dies in daemon mode

Hey Michael,
It should set up the PID using real uid and gid, but I'll look into it  
today.
And it looks like I need to improve the error reporting around the PID  
file.
Is syslog() different on CentOS (i know thats a bad question, but I  
don't
know much about CentOS)?  Just wondering why we don't get a syslog
message in the ArgusError() call.

But with the changes, you're now running?

Carter

On Sep 4, 2008, at 12:06 AM, Michael Grinnell wrote:

> It does seem to be a PID permissions issue.  Commenting out the  
> ARGUS_SETUSER_ID and ARGUS_SETGROUP_ID fixes the issue.  Commenting  
> out the freopen calls yields:
> ArgusError: argus[27674]: 03 Sep 08 23:43:31.530640 daemon cannot  
> create pid file
>
> The default PID file location is /var/run, which is chmod 755 and  
> chown root:root.
>
> Does it try to create the PID file before set_uid or after?
>
> Michael
>
> On Sep 3, 2008, at 7:31 PM, Tomoyuki Sakurai wrote:

[WISHLIST] How many records to output

Hi,

Currently, argus clients have no option to specify how many record to
output (-N option is how many record to process). This is especially
useful when you need to know if there is a flow using specific dst port.
With this option and if you are lucky, you don't have to scan entire file.
Also, it would be useful to be able to specify next N of records, like
"2nd 100 flows that matches the filter expression". This is useful for
pager operation (the one you'll find in a web application like [<<] [1]
[2] [>>]).

Best regards,
--

-- 
Tomoyuki Sakurai

Re: [WISHLIST] How many records to output