Peter Van Epp | 4 Aug 03:51 2009
Picon
Picon

Apparant bug in argus-clients-3.0.2.beta.11

	It looks like a parse bug has crept in to the -S command in the beta.11
code:

Script started on Mon Aug  3 18:40:18 2009
You have mail.
hp2# ra -S192.168.1.1
   18:40:42.769381  e         udp            0.0.0.0.bootpc    ->    255.255.255.255.bootps        2        684   INT
   18:40:42.937545  e         udp      75.153.40.254.bootps    ->    255.255.255.255.bootpc        2       1180   INT
   18:40:43.758198  e         udp     99.199.181.136.57858    <->      75.154.133.68.domain        2        245   CON
^Chp2

# ra -S192.168.1.1:561
ra[4910]: 18:41:03.248095 host 192.168.1.1: unknown
hp2# exit
exit

Script done on Mon Aug  3 18:41:08 2009

	Adding a port number (redundant in this case) to the -S command no 
longer appears to work correctly, the ":" doesn't look to get removed. Was
working on beta.5 (last one I loaded). 

Peter Van Epp

Carter Bullard | 4 Aug 04:37 2009

Re: Apparant bug in argus-clients-3.0.2.beta.11

Hey Peter,
Hmmmm, yes, that is not right.  I've uploaded new argus- 
clients-3.0.2.beta.10 and 11
that fix the problem, but because I'm on the road, I can't generate  
*.asc files.  I'll do
that on Friday when I get back.

Argus-3.0.4 is going to get udp transport, so we can support multicast  
argus record
transmission, and I added the "-S argus-tcp://localhost:561" URL  
strategy.  When 3.0.4
comes in, we'll need to add support "-S argus-udp://localhost:561".
I must have broken it there :o(

Sorry for any inconvenience!!!!

Carter

On Aug 3, 2009, at 9:51 PM, Peter Van Epp wrote:

> 	It looks like a parse bug has crept in to the -S command in the  
> beta.11
> code:
>
> Script started on Mon Aug  3 18:40:18 2009
> You have mail.
> hp2# ra -S192.168.1.1
>   18:40:42.769381  e         udp            0.0.0.0.bootpc    ->     
> 255.255.255.255.bootps        2        684   INT
>   18:40:42.937545  e         udp      75.153.40.254.bootps    ->     
(Continue reading)

Robert Kerr | 4 Aug 14:24 2009
Picon

Re: argus-clients-3.0.2.beta.10 segfault when reading argus 2 data

On Fri, 2009-07-31 at 17:06 +0100, Carter Bullard wrote:
> Hey Robert,
> Found the argus-2.x conversion bug.  Fixes on the server at:
>      ftp://qosient.com/dev/argus-3.0/argus-clients-3.0.2.beta.11.tar.gz
>     http://qosient.com/argus/dev/argus-clients-3.0.2.beta.11.tar.gz

> I didn't get a chance to fully test this, so if you have any problems
> configuring, making, compiling, whatever, please send email soon.

Seems to solve the problem, thanks Carter!

--

-- 
 Robert Kerr

Eric Gustafson | 4 Aug 23:53 2009
Picon

Re: Argus on Bivio 7500

Hey Carter,
Good news!! It works!
I've attached the Bivio-style init scripts and NRSP profiles I created.  Inside the tarball is a readme too, for those not familiar with Bivio's examples (which I used to create these)
When started with NRSP, a separate argus process will be spawned for each loadshared CPU installed, and will listen for connections.
When started with NRSP (and the included radium.conf), radium will combine all the CPUs' data together into one feed, which can be accessed locally on CPU-X or the mgt0 management interface.
Of course, our Bivio boxes only have 2x 2-core CPUs, so if you have the expansion module, you'll need to change radium.conf or you'll be missing some traffic.

Feel free to include these in the support directory if you want.

Thanks again for your help!
Eric

On Fri, Jul 31, 2009 at 11:24 AM, Eric Gustafson <subwire <at> gmail.com> wrote:
Hey Carter,
I'm happy to test those Bivio-related mods for you any time.  Just let me know.

rasplit is holding up fine with our script that restarts it every time the argus daemon notices it disconnect.
I'll check out those fixes and get back to you on that though!

Thanks!
- Eric


On Mon, Jul 27, 2009 at 7:17 AM, Carter Bullard <carter <at> qosient.com> wrote:
Hey Guys,
I'd like to work on specific Bivio mods for argus-3.0.2 this week.  I've got most of the code
structured to conditionally not use pcap_next_ex now, is there a chance we can test
it out sometime this week or next?

Eric, how has your rasplit() held up?  There were very specific rasplit() mods in some of
the recent updates, did you get a chance to grab new code and try them out?

Thanks for all the help!!!

Carter


On Jun 22, 2009, at 9:39 PM, Jason Carr wrote:

Hi Eric,

We also had the same problem compiling the 3.x series on our Bivio units.  Bivio ships (even with the newest OS 5.0.5) with an older libpcap.  We were told that the new libpcap that implements the pcap_get_selectable_fd method is in beta and should be released with the next OS release.

Right now we're running argus 2.x and running rastream 3.x on a non-Bivio machine.  The 2.x series compiles just fine (but no IPv6).

This was before Carter implemented any sort of Bivio changes, so I have not tested those.

Let me know if you have any questions.  I'm also interested in what else you might be using your Bivio for.

- Jason


On Jun 22, 2009, at 4:49 PM, Eric Gustafson wrote:

Hi Carter et al,
I'm trying to compile the latest test argus (3.0.2 beta8) on one of our Bivio 7500s, and am running into linking trouble.

gcc -O3 -I.  -I./../include  -DPACKAGE_NAME=\"\" -DPACKAGE_TARNAME=\"\" -DPACKAGE_VERSION=\"\" -DPACKAGE_STRING=\"\" -DPACKAGE_BUGREPORT=\"\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_STRING_H=1 -DHAVE_FCNTL_H=1 -DHAVE_SYS_FILE_H=1 -DHAVE_SYSLOG_H=1 -DHAVE_SYS_VFS_H=1 -DHAVE_VFPRINTF=1 -DHAVE_STRCASECMP=1 -DHAVE_STRDUP=1 -DHAVE_STRFTIME=1 -DHAVE_SETLINEBUF=1 -DHAVE_ALARM=1 -DHAVE_STRERROR=1 -DHAVE_STRTOF=1 -DHAVE_SYS_BITYPES_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_VSNPRINTF=1 -DHAVE_SNPRINTF=1 -DHAVE_GETADDRINFO=1 -DHAVE_ETHER_HOSTTON=1 -DHAVE_NETINET_ETHER_H=1 -DNETINET_ETHER_H_DECLARES_ETHER_HOSTTON= -DHAVE_DECL_ETHER_HOSTTON=1 -D_FILE_OFFSET_BITS=64 -DHAVE_TCP_WRAPPER=1 -DLBL_ALIGN=1 -DSTDC_HEADERS=1 -DARGUS_SYSLOG=1 -o ../bin/argus argus.o ArgusModeler.o ArgusSource.o ArgusUtil.o ArgusOutput.o ArgusUdp.o ArgusTcp.o ArgusIcmp.o ArgusIgmp.o ArgusEsp.o ArgusArp.o ArgusFrag.o ArgusAuth.o ArgusApp.o  ../lib/libpcap.a -lwrap -lnsl  ../lib/argus_common.a -lm
ArgusSource.o: In function `ArgusGetPackets':ArgusSource.c:(.text+0x2cf8): undefined reference to `pcap_get_selectable_fd'
:ArgusSource.c:(.text+0x2d90): undefined reference to `pcap_next_ex'
:ArgusSource.c:(.text+0x2dcc): undefined reference to `pcap_next_ex'
:ArgusSource.c:(.text+0x2e08): undefined reference to `pcap_next_ex'
:ArgusSource.c:(.text+0x2e44): undefined reference to `pcap_next_ex'
:ArgusSource.c:(.text+0x2eac): undefined reference to `pcap_next_ex'
ArgusSource.o:ArgusSource.c:(.text+0x2ec8): more undefined references to `pcap_next_ex' follow
collect2: ld returned 1 exit status
make[1]: *** [../bin/argus] Error 1
make[1]: Leaving directory `/bivio/shared/root/argus-3.0.1.beta.3/argus'
### Done with /root/argus-3.0.1.beta.3/argus

I configured with --with-libpcap=/usr/lib/zcp/, which is where Bivio stashes its special version of libpcap.
I noticed your mention of "changes to support Bivio hardware" for this release, but I didn't see any instructions regarding extra steps to get it to work.
Any ideas?

Thanks so much,
Eric



Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax





Attachment (argus-bivio-support-files.tar.gz): application/x-gzip, 6994 bytes
Carter Bullard | 5 Aug 04:32 2009

Re: Argus on Bivio 7500

Hey Eric,
Excellent!!!!  I'm working on a hardware area on the web site with Peter Van Epp, and
I'll put something up for Bivio (and then of course we'll need something for Endace, and
Tilera, and ....).  It will be interesting to see if the packet dispatch logic in the Bivio is
flow sensitive, such that a single CPU see's all the packets for any given flow.  If not,
we'll need to insert a rabins() into the pipe to merge the records together, so that the
device looks like a single monitor.

Thanks again, and lets keep sharing notes!!!

Carter


On Aug 4, 2009, at 5:53 PM, Eric Gustafson wrote:

Hey Carter,
Good news!! It works!
I've attached the Bivio-style init scripts and NRSP profiles I created.  Inside the tarball is a readme too, for those not familiar with Bivio's examples (which I used to create these)
When started with NRSP, a separate argus process will be spawned for each loadshared CPU installed, and will listen for connections.
When started with NRSP (and the included radium.conf), radium will combine all the CPUs' data together into one feed, which can be accessed locally on CPU-X or the mgt0 management interface.
Of course, our Bivio boxes only have 2x 2-core CPUs, so if you have the expansion module, you'll need to change radium.conf or you'll be missing some traffic.

Feel free to include these in the support directory if you want.

Thanks again for your help!
Eric

On Fri, Jul 31, 2009 at 11:24 AM, Eric Gustafson <subwire <at> gmail.com> wrote:
Hey Carter,
I'm happy to test those Bivio-related mods for you any time.  Just let me know.

rasplit is holding up fine with our script that restarts it every time the argus daemon notices it disconnect.
I'll check out those fixes and get back to you on that though!

Thanks!
- Eric


On Mon, Jul 27, 2009 at 7:17 AM, Carter Bullard <carter <at> qosient.com> wrote:
Hey Guys,
I'd like to work on specific Bivio mods for argus-3.0.2 this week.  I've got most of the code
structured to conditionally not use pcap_next_ex now, is there a chance we can test
it out sometime this week or next?

Eric, how has your rasplit() held up?  There were very specific rasplit() mods in some of
the recent updates, did you get a chance to grab new code and try them out?

Thanks for all the help!!!

Carter


On Jun 22, 2009, at 9:39 PM, Jason Carr wrote:

Hi Eric,

We also had the same problem compiling the 3.x series on our Bivio units.  Bivio ships (even with the newest OS 5.0.5) with an older libpcap.  We were told that the new libpcap that implements the pcap_get_selectable_fd method is in beta and should be released with the next OS release.

Right now we're running argus 2.x and running rastream 3.x on a non-Bivio machine.  The 2.x series compiles just fine (but no IPv6).

This was before Carter implemented any sort of Bivio changes, so I have not tested those.

Let me know if you have any questions.  I'm also interested in what else you might be using your Bivio for.

- Jason


On Jun 22, 2009, at 4:49 PM, Eric Gustafson wrote:

Hi Carter et al,
I'm trying to compile the latest test argus (3.0.2 beta8) on one of our Bivio 7500s, and am running into linking trouble.

gcc -O3 -I.  -I./../include  -DPACKAGE_NAME=\"\" -DPACKAGE_TARNAME=\"\" -DPACKAGE_VERSION=\"\" -DPACKAGE_STRING=\"\" -DPACKAGE_BUGREPORT=\"\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_STRING_H=1 -DHAVE_FCNTL_H=1 -DHAVE_SYS_FILE_H=1 -DHAVE_SYSLOG_H=1 -DHAVE_SYS_VFS_H=1 -DHAVE_VFPRINTF=1 -DHAVE_STRCASECMP=1 -DHAVE_STRDUP=1 -DHAVE_STRFTIME=1 -DHAVE_SETLINEBUF=1 -DHAVE_ALARM=1 -DHAVE_STRERROR=1 -DHAVE_STRTOF=1 -DHAVE_SYS_BITYPES_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_VSNPRINTF=1 -DHAVE_SNPRINTF=1 -DHAVE_GETADDRINFO=1 -DHAVE_ETHER_HOSTTON=1 -DHAVE_NETINET_ETHER_H=1 -DNETINET_ETHER_H_DECLARES_ETHER_HOSTTON= -DHAVE_DECL_ETHER_HOSTTON=1 -D_FILE_OFFSET_BITS=64 -DHAVE_TCP_WRAPPER=1 -DLBL_ALIGN=1 -DSTDC_HEADERS=1 -DARGUS_SYSLOG=1 -o ../bin/argus argus.o ArgusModeler.o ArgusSource.o ArgusUtil.o ArgusOutput.o ArgusUdp.o ArgusTcp.o ArgusIcmp.o ArgusIgmp.o ArgusEsp.o ArgusArp.o ArgusFrag.o ArgusAuth.o ArgusApp.o  ../lib/libpcap.a -lwrap -lnsl  ../lib/argus_common.a -lm
ArgusSource.o: In function `ArgusGetPackets':ArgusSource.c:(.text+0x2cf8): undefined reference to `pcap_get_selectable_fd'
:ArgusSource.c:(.text+0x2d90): undefined reference to `pcap_next_ex'
:ArgusSource.c:(.text+0x2dcc): undefined reference to `pcap_next_ex'
:ArgusSource.c:(.text+0x2e08): undefined reference to `pcap_next_ex'
:ArgusSource.c:(.text+0x2e44): undefined reference to `pcap_next_ex'
:ArgusSource.c:(.text+0x2eac): undefined reference to `pcap_next_ex'
ArgusSource.o:ArgusSource.c:(.text+0x2ec8): more undefined references to `pcap_next_ex' follow
collect2: ld returned 1 exit status
make[1]: *** [../bin/argus] Error 1
make[1]: Leaving directory `/bivio/shared/root/argus-3.0.1.beta.3/argus'
### Done with /root/argus-3.0.1.beta.3/argus

I configured with --with-libpcap=/usr/lib/zcp/, which is where Bivio stashes its special version of libpcap.
I noticed your mention of "changes to support Bivio hardware" for this release, but I didn't see any instructions regarding extra steps to get it to work.
Any ideas?

Thanks so much,
Eric



Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax





<argus-bivio-support-files.tar.gz>

Attachment (smime.p7s): application/pkcs7-signature, 5155 bytes
Eric Gustafson | 5 Aug 04:52 2009
Picon

Re: Argus on Bivio 7500

Hey Carter,
I posed that very question regarding the packet dispatch logic to a 
Bivio engineer last year.  He seemed not too sure of himself, but 
claimed that it should separate things on a "per-connection" basis.  Now 
that I can see the flows though, I'll verify this in the next day or so.

My bosses are super excited to have this working, as they love the data 
argus gives them, and now have it in a 10G-capable box!
Cheers,
Eric

Carter Bullard wrote:
> Hey Eric,
> Excellent!!!!  I'm working on a hardware area on the web site with 
> Peter Van Epp, and
> I'll put something up for Bivio (and then of course we'll need 
> something for Endace, and
> Tilera, and ....).  It will be interesting to see if the packet 
> dispatch logic in the Bivio is
> flow sensitive, such that a single CPU see's all the packets for any 
> given flow.  If not,
> we'll need to insert a rabins() into the pipe to merge the records 
> together, so that the
> device looks like a single monitor.
>
> Thanks again, and lets keep sharing notes!!!
>
> Carter
>
>
> On Aug 4, 2009, at 5:53 PM, Eric Gustafson wrote:
>
>> Hey Carter,
>> Good news!! It works!
>> I've attached the Bivio-style init scripts and NRSP profiles I 
>> created.  Inside the tarball is a readme too, for those not familiar 
>> with Bivio's examples (which I used to create these)
>> When started with NRSP, a separate argus process will be spawned for 
>> each loadshared CPU installed, and will listen for connections.
>> When started with NRSP (and the included radium.conf), radium will 
>> combine all the CPUs' data together into one feed, which can be 
>> accessed locally on CPU-X or the mgt0 management interface.
>> Of course, our Bivio boxes only have 2x 2-core CPUs, so if you have 
>> the expansion module, you'll need to change radium.conf or you'll be 
>> missing some traffic.
>>
>> Feel free to include these in the support directory if you want.
>>
>> Thanks again for your help!
>> Eric
>>
>> On Fri, Jul 31, 2009 at 11:24 AM, Eric Gustafson <subwire <at> gmail.com 
>> <mailto:subwire <at> gmail.com>> wrote:
>>
>>     Hey Carter,
>>     I'm happy to test those Bivio-related mods for you any time. 
>>     Just let me know.
>>
>>     rasplit is holding up fine with our script that restarts it every
>>     time the argus daemon notices it disconnect.
>>     I'll check out those fixes and get back to you on that though!
>>
>>     Thanks!
>>     - Eric
>>
>>
>>     On Mon, Jul 27, 2009 at 7:17 AM, Carter Bullard
>>     <carter <at> qosient.com <mailto:carter <at> qosient.com>> wrote:
>>
>>         Hey Guys,
>>         I'd like to work on specific Bivio mods for argus-3.0.2 this
>>         week.  I've got most of the code
>>         structured to conditionally not use pcap_next_ex now, is
>>         there a chance we can test
>>         it out sometime this week or next?
>>
>>         Eric, how has your rasplit() held up?  There were very
>>         specific rasplit() mods in some of
>>         the recent updates, did you get a chance to grab new code and
>>         try them out?
>>
>>         Thanks for all the help!!!
>>
>>         Carter
>>
>>
>>         On Jun 22, 2009, at 9:39 PM, Jason Carr wrote:
>>
>>             Hi Eric,
>>
>>             We also had the same problem compiling the 3.x series on
>>             our Bivio units.  Bivio ships (even with the newest OS
>>             5.0.5) with an older libpcap.  We were told that the new
>>             libpcap that implements the pcap_get_selectable_fd method
>>             is in beta and should be released with the next OS release.
>>
>>             Right now we're running argus 2.x and running rastream
>>             3.x on a non-Bivio machine.  The 2.x series compiles just
>>             fine (but no IPv6).
>>
>>             This was before Carter implemented any sort of Bivio
>>             changes, so I have not tested those.
>>
>>             Let me know if you have any questions.  I'm also
>>             interested in what else you might be using your Bivio for.
>>
>>             - Jason
>>
>>
>>             On Jun 22, 2009, at 4:49 PM, Eric Gustafson wrote:
>>
>>                 Hi Carter et al,
>>                 I'm trying to compile the latest test argus (3.0.2
>>                 beta8) on one of our Bivio 7500s, and am running into
>>                 linking trouble.
>>
>>                 gcc -O3 -I.  -I./../include  -DPACKAGE_NAME=\"\"
>>                 -DPACKAGE_TARNAME=\"\" -DPACKAGE_VERSION=\"\"
>>                 -DPACKAGE_STRING=\"\" -DPACKAGE_BUGREPORT=\"\"
>>                 -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1
>>                 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1
>>                 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1
>>                 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1
>>                 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_STRING_H=1
>>                 -DHAVE_FCNTL_H=1 -DHAVE_SYS_FILE_H=1
>>                 -DHAVE_SYSLOG_H=1 -DHAVE_SYS_VFS_H=1
>>                 -DHAVE_VFPRINTF=1 -DHAVE_STRCASECMP=1 -DHAVE_STRDUP=1
>>                 -DHAVE_STRFTIME=1 -DHAVE_SETLINEBUF=1 -DHAVE_ALARM=1
>>                 -DHAVE_STRERROR=1 -DHAVE_STRTOF=1
>>                 -DHAVE_SYS_BITYPES_H=1 -DHAVE_INTTYPES_H=1
>>                 -DHAVE_VSNPRINTF=1 -DHAVE_SNPRINTF=1
>>                 -DHAVE_GETADDRINFO=1 -DHAVE_ETHER_HOSTTON=1
>>                 -DHAVE_NETINET_ETHER_H=1
>>                 -DNETINET_ETHER_H_DECLARES_ETHER_HOSTTON=
>>                 -DHAVE_DECL_ETHER_HOSTTON=1 -D_FILE_OFFSET_BITS=64
>>                 -DHAVE_TCP_WRAPPER=1 -DLBL_ALIGN=1 -DSTDC_HEADERS=1
>>                 -DARGUS_SYSLOG=1 -o ../bin/argus argus.o
>>                 ArgusModeler.o ArgusSource.o ArgusUtil.o
>>                 ArgusOutput.o ArgusUdp.o ArgusTcp.o ArgusIcmp.o
>>                 ArgusIgmp.o ArgusEsp.o ArgusArp.o ArgusFrag.o
>>                 ArgusAuth.o ArgusApp.o  ../lib/libpcap.a -lwrap -lnsl
>>                  ../lib/argus_common.a -lm
>>                 ArgusSource.o: In function
>>                 `ArgusGetPackets':ArgusSource.c:(.text+0x2cf8):
>>                 undefined reference to `pcap_get_selectable_fd'
>>                 :ArgusSource.c:(.text+0x2d90): undefined reference to
>>                 `pcap_next_ex'
>>                 :ArgusSource.c:(.text+0x2dcc): undefined reference to
>>                 `pcap_next_ex'
>>                 :ArgusSource.c:(.text+0x2e08): undefined reference to
>>                 `pcap_next_ex'
>>                 :ArgusSource.c:(.text+0x2e44): undefined reference to
>>                 `pcap_next_ex'
>>                 :ArgusSource.c:(.text+0x2eac): undefined reference to
>>                 `pcap_next_ex'
>>                 ArgusSource.o:ArgusSource.c:(.text+0x2ec8): more
>>                 undefined references to `pcap_next_ex' follow
>>                 collect2: ld returned 1 exit status
>>                 make[1]: *** [../bin/argus] Error 1
>>                 make[1]: Leaving directory
>>                 `/bivio/shared/root/argus-3.0.1.beta.3/argus'
>>                 ### Done with /root/argus-3.0.1.beta.3/argus
>>
>>                 I configured with --with-libpcap=/usr/lib/zcp/, which
>>                 is where Bivio stashes its special version of libpcap.
>>                 I noticed your mention of "changes to support Bivio
>>                 hardware" for this release, but I didn't see any
>>                 instructions regarding extra steps to get it to work.
>>                 Any ideas?
>>
>>                 Thanks so much,
>>                 Eric
>>
>>
>>
>>
>>         Carter Bullard
>>         CEO/President
>>         QoSient, LLC
>>         150 E 57th Street Suite 12D
>>         New York, New York  10022
>>
>>         +1 212 588-9133 Phone
>>         +1 212 588-9134 Fax
>>
>>
>>
>>
>>
>> <argus-bivio-support-files.tar.gz>
>

Jason Carr | 5 Aug 18:03 2009
Picon

Re: Argus on Bivio 7500

Depending on what the method is for traffic splitting you can get  
random packets or proper flows so this answer could be yes and no at  
the same time.

For example, this is a load-balance by port in a traffic  
classification configuration which will load balance using a five  
tuple (sip, dip, sp, dp, proto) which should make one flow stick with  
one processor:

<CIG:Action type="load-balance-by-port">core-ig</CIG:Action>

On Aug 4, 2009, at 10:52 PM, Eric Gustafson wrote:

> Hey Carter,
> I posed that very question regarding the packet dispatch logic to a  
> Bivio engineer last year.  He seemed not too sure of himself, but  
> claimed that it should separate things on a "per-connection" basis.   
> Now that I can see the flows though, I'll verify this in the next  
> day or so.
>
> My bosses are super excited to have this working, as they love the  
> data argus gives them, and now have it in a 10G-capable box!
> Cheers,
> Eric
>
> Carter Bullard wrote:
>> Hey Eric,
>> Excellent!!!!  I'm working on a hardware area on the web site with  
>> Peter Van Epp, and
>> I'll put something up for Bivio (and then of course we'll need  
>> something for Endace, and
>> Tilera, and ....).  It will be interesting to see if the packet  
>> dispatch logic in the Bivio is
>> flow sensitive, such that a single CPU see's all the packets for  
>> any given flow.  If not,
>> we'll need to insert a rabins() into the pipe to merge the records  
>> together, so that the
>> device looks like a single monitor.
>>
>> Thanks again, and lets keep sharing notes!!!
>>
>> Carter
>>
>>
>> On Aug 4, 2009, at 5:53 PM, Eric Gustafson wrote:
>>
>>> Hey Carter,
>>> Good news!! It works!
>>> I've attached the Bivio-style init scripts and NRSP profiles I  
>>> created.  Inside the tarball is a readme too, for those not  
>>> familiar with Bivio's examples (which I used to create these)
>>> When started with NRSP, a separate argus process will be spawned  
>>> for each loadshared CPU installed, and will listen for connections.
>>> When started with NRSP (and the included radium.conf), radium will  
>>> combine all the CPUs' data together into one feed, which can be  
>>> accessed locally on CPU-X or the mgt0 management interface.
>>> Of course, our Bivio boxes only have 2x 2-core CPUs, so if you  
>>> have the expansion module, you'll need to change radium.conf or  
>>> you'll be missing some traffic.
>>>
>>> Feel free to include these in the support directory if you want.
>>>
>>> Thanks again for your help!
>>> Eric
>>>
>>> On Fri, Jul 31, 2009 at 11:24 AM, Eric Gustafson  
>>> <subwire <at> gmail.com <mailto:subwire <at> gmail.com>> wrote:
>>>
>>>    Hey Carter,
>>>    I'm happy to test those Bivio-related mods for you any  
>>> time.     Just let me know.
>>>
>>>    rasplit is holding up fine with our script that restarts it every
>>>    time the argus daemon notices it disconnect.
>>>    I'll check out those fixes and get back to you on that though!
>>>
>>>    Thanks!
>>>    - Eric
>>>
>>>
>>>    On Mon, Jul 27, 2009 at 7:17 AM, Carter Bullard
>>>    <carter <at> qosient.com <mailto:carter <at> qosient.com>> wrote:
>>>
>>>        Hey Guys,
>>>        I'd like to work on specific Bivio mods for argus-3.0.2 this
>>>        week.  I've got most of the code
>>>        structured to conditionally not use pcap_next_ex now, is
>>>        there a chance we can test
>>>        it out sometime this week or next?
>>>
>>>        Eric, how has your rasplit() held up?  There were very
>>>        specific rasplit() mods in some of
>>>        the recent updates, did you get a chance to grab new code and
>>>        try them out?
>>>
>>>        Thanks for all the help!!!
>>>
>>>        Carter
>>>
>>>
>>>        On Jun 22, 2009, at 9:39 PM, Jason Carr wrote:
>>>
>>>            Hi Eric,
>>>
>>>            We also had the same problem compiling the 3.x series on
>>>            our Bivio units.  Bivio ships (even with the newest OS
>>>            5.0.5) with an older libpcap.  We were told that the new
>>>            libpcap that implements the pcap_get_selectable_fd method
>>>            is in beta and should be released with the next OS  
>>> release.
>>>
>>>            Right now we're running argus 2.x and running rastream
>>>            3.x on a non-Bivio machine.  The 2.x series compiles just
>>>            fine (but no IPv6).
>>>
>>>            This was before Carter implemented any sort of Bivio
>>>            changes, so I have not tested those.
>>>
>>>            Let me know if you have any questions.  I'm also
>>>            interested in what else you might be using your Bivio  
>>> for.
>>>
>>>            - Jason
>>>
>>>
>>>            On Jun 22, 2009, at 4:49 PM, Eric Gustafson wrote:
>>>
>>>                Hi Carter et al,
>>>                I'm trying to compile the latest test argus (3.0.2
>>>                beta8) on one of our Bivio 7500s, and am running into
>>>                linking trouble.
>>>
>>>                gcc -O3 -I.  -I./../include  -DPACKAGE_NAME=\"\"
>>>                -DPACKAGE_TARNAME=\"\" -DPACKAGE_VERSION=\"\"
>>>                -DPACKAGE_STRING=\"\" -DPACKAGE_BUGREPORT=\"\"
>>>                -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1
>>>                -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1
>>>                -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1
>>>                -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1
>>>                -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_STRING_H=1
>>>                -DHAVE_FCNTL_H=1 -DHAVE_SYS_FILE_H=1
>>>                -DHAVE_SYSLOG_H=1 -DHAVE_SYS_VFS_H=1
>>>                -DHAVE_VFPRINTF=1 -DHAVE_STRCASECMP=1 -DHAVE_STRDUP=1
>>>                -DHAVE_STRFTIME=1 -DHAVE_SETLINEBUF=1 -DHAVE_ALARM=1
>>>                -DHAVE_STRERROR=1 -DHAVE_STRTOF=1
>>>                -DHAVE_SYS_BITYPES_H=1 -DHAVE_INTTYPES_H=1
>>>                -DHAVE_VSNPRINTF=1 -DHAVE_SNPRINTF=1
>>>                -DHAVE_GETADDRINFO=1 -DHAVE_ETHER_HOSTTON=1
>>>                -DHAVE_NETINET_ETHER_H=1
>>>                -DNETINET_ETHER_H_DECLARES_ETHER_HOSTTON=
>>>                -DHAVE_DECL_ETHER_HOSTTON=1 -D_FILE_OFFSET_BITS=64
>>>                -DHAVE_TCP_WRAPPER=1 -DLBL_ALIGN=1 -DSTDC_HEADERS=1
>>>                -DARGUS_SYSLOG=1 -o ../bin/argus argus.o
>>>                ArgusModeler.o ArgusSource.o ArgusUtil.o
>>>                ArgusOutput.o ArgusUdp.o ArgusTcp.o ArgusIcmp.o
>>>                ArgusIgmp.o ArgusEsp.o ArgusArp.o ArgusFrag.o
>>>                ArgusAuth.o ArgusApp.o  ../lib/libpcap.a -lwrap -lnsl
>>>                 ../lib/argus_common.a -lm
>>>                ArgusSource.o: In function
>>>                `ArgusGetPackets':ArgusSource.c:(.text+0x2cf8):
>>>                undefined reference to `pcap_get_selectable_fd'
>>>                :ArgusSource.c:(.text+0x2d90): undefined reference to
>>>                `pcap_next_ex'
>>>                :ArgusSource.c:(.text+0x2dcc): undefined reference to
>>>                `pcap_next_ex'
>>>                :ArgusSource.c:(.text+0x2e08): undefined reference to
>>>                `pcap_next_ex'
>>>                :ArgusSource.c:(.text+0x2e44): undefined reference to
>>>                `pcap_next_ex'
>>>                :ArgusSource.c:(.text+0x2eac): undefined reference to
>>>                `pcap_next_ex'
>>>                ArgusSource.o:ArgusSource.c:(.text+0x2ec8): more
>>>                undefined references to `pcap_next_ex' follow
>>>                collect2: ld returned 1 exit status
>>>                make[1]: *** [../bin/argus] Error 1
>>>                make[1]: Leaving directory
>>>                `/bivio/shared/root/argus-3.0.1.beta.3/argus'
>>>                ### Done with /root/argus-3.0.1.beta.3/argus
>>>
>>>                I configured with --with-libpcap=/usr/lib/zcp/, which
>>>                is where Bivio stashes its special version of  
>>> libpcap.
>>>                I noticed your mention of "changes to support Bivio
>>>                hardware" for this release, but I didn't see any
>>>                instructions regarding extra steps to get it to work.
>>>                Any ideas?
>>>
>>>                Thanks so much,
>>>                Eric
>>>
>>>
>>>
>>>
>>>        Carter Bullard
>>>        CEO/President
>>>        QoSient, LLC
>>>        150 E 57th Street Suite 12D
>>>        New York, New York  10022
>>>
>>>        +1 212 588-9133 Phone
>>>        +1 212 588-9134 Fax
>>>
>>>
>>>
>>>
>>>
>>> <argus-bivio-support-files.tar.gz>
>>
>
>

Jason Carr | 5 Aug 22:34 2009
Picon

Re: Argus on Bivio 7500

So a few things that I've noticed as I'm testing:

For our setup we will be using monitoring three different networks.   
For that I believe we'll be using the argus source ID to figure out  
where the flow came from.

Inside of the radium config there is a list of specific nodes that  
have argus running.  I'm not sure how often those nodes would change  
but surely in a failover situation the nodes would change.  I'm not  
sure how to handle that properly.  I had originally planned on listing  
every node in our stack in the radium config, but that's somewhat messy.

Is there a way for radium to only supply a specific source ID to a  
network connection?  That way we can provide border argus feeds to  
researchers without giving them other networks.

The other thing I noticed is that there is no way to start argus  
listening on the interface called "default".  According to the Bivio  
manual, it's a pseudo-interface name that allows capture on all  
interfaces that might be bound to that inspection group that the  
Bivio's customized pcap handles internally.  For example, we have two  
interfaces at 10G each from a network that we are monitoring.  We'd  
want to monitor both interfaces at the same time.  It's a lot easier  
to monitor "default" instead of monitoring s0.e0 and s1.e0.  Right  
now, argus just quits with no error message.

Specifying multiple interfaces on the command line does not work  
either, for example:

[Bivio] root <at> CPU-3c0 ~$ /usr/local/sbin/argus -X -U 128 -i s1.e0 -i  
s2.e0 -P 561 -e 1 - ip
argus[26239]: 05 Aug 09 15:17:52.400570 ArgusOpenInterface:  
pcap_open_live zcopy_open: Can't MMAP to kernel (errno 12)

Thanks Eric and Carter!

- Jason

On Aug 5, 2009, at 12:03 PM, Jason Carr wrote:

> Depending on what the method is for traffic splitting you can get  
> random packets or proper flows so this answer could be yes and no at  
> the same time.
>
> For example, this is a load-balance by port in a traffic  
> classification configuration which will load balance using a five  
> tuple (sip, dip, sp, dp, proto) which should make one flow stick  
> with one processor:
>
> <CIG:Action type="load-balance-by-port">core-ig</CIG:Action>
>
>
> On Aug 4, 2009, at 10:52 PM, Eric Gustafson wrote:
>
>> Hey Carter,
>> I posed that very question regarding the packet dispatch logic to a  
>> Bivio engineer last year.  He seemed not too sure of himself, but  
>> claimed that it should separate things on a "per-connection"  
>> basis.  Now that I can see the flows though, I'll verify this in  
>> the next day or so.
>>
>> My bosses are super excited to have this working, as they love the  
>> data argus gives them, and now have it in a 10G-capable box!
>> Cheers,
>> Eric
>>
>> Carter Bullard wrote:
>>> Hey Eric,
>>> Excellent!!!!  I'm working on a hardware area on the web site with  
>>> Peter Van Epp, and
>>> I'll put something up for Bivio (and then of course we'll need  
>>> something for Endace, and
>>> Tilera, and ....).  It will be interesting to see if the packet  
>>> dispatch logic in the Bivio is
>>> flow sensitive, such that a single CPU see's all the packets for  
>>> any given flow.  If not,
>>> we'll need to insert a rabins() into the pipe to merge the records  
>>> together, so that the
>>> device looks like a single monitor.
>>>
>>> Thanks again, and lets keep sharing notes!!!
>>>
>>> Carter
>>>
>>>
>>> On Aug 4, 2009, at 5:53 PM, Eric Gustafson wrote:
>>>
>>>> Hey Carter,
>>>> Good news!! It works!
>>>> I've attached the Bivio-style init scripts and NRSP profiles I  
>>>> created.  Inside the tarball is a readme too, for those not  
>>>> familiar with Bivio's examples (which I used to create these)
>>>> When started with NRSP, a separate argus process will be spawned  
>>>> for each loadshared CPU installed, and will listen for connections.
>>>> When started with NRSP (and the included radium.conf), radium  
>>>> will combine all the CPUs' data together into one feed, which can  
>>>> be accessed locally on CPU-X or the mgt0 management interface.
>>>> Of course, our Bivio boxes only have 2x 2-core CPUs, so if you  
>>>> have the expansion module, you'll need to change radium.conf or  
>>>> you'll be missing some traffic.
>>>>
>>>> Feel free to include these in the support directory if you want.
>>>>
>>>> Thanks again for your help!
>>>> Eric
>>>>
>>>> On Fri, Jul 31, 2009 at 11:24 AM, Eric Gustafson  
>>>> <subwire <at> gmail.com <mailto:subwire <at> gmail.com>> wrote:
>>>>
>>>>   Hey Carter,
>>>>   I'm happy to test those Bivio-related mods for you any  
>>>> time.     Just let me know.
>>>>
>>>>   rasplit is holding up fine with our script that restarts it every
>>>>   time the argus daemon notices it disconnect.
>>>>   I'll check out those fixes and get back to you on that though!
>>>>
>>>>   Thanks!
>>>>   - Eric
>>>>
>>>>
>>>>   On Mon, Jul 27, 2009 at 7:17 AM, Carter Bullard
>>>>   <carter <at> qosient.com <mailto:carter <at> qosient.com>> wrote:
>>>>
>>>>       Hey Guys,
>>>>       I'd like to work on specific Bivio mods for argus-3.0.2 this
>>>>       week.  I've got most of the code
>>>>       structured to conditionally not use pcap_next_ex now, is
>>>>       there a chance we can test
>>>>       it out sometime this week or next?
>>>>
>>>>       Eric, how has your rasplit() held up?  There were very
>>>>       specific rasplit() mods in some of
>>>>       the recent updates, did you get a chance to grab new code and
>>>>       try them out?
>>>>
>>>>       Thanks for all the help!!!
>>>>
>>>>       Carter
>>>>
>>>>
>>>>       On Jun 22, 2009, at 9:39 PM, Jason Carr wrote:
>>>>
>>>>           Hi Eric,
>>>>
>>>>           We also had the same problem compiling the 3.x series on
>>>>           our Bivio units.  Bivio ships (even with the newest OS
>>>>           5.0.5) with an older libpcap.  We were told that the new
>>>>           libpcap that implements the pcap_get_selectable_fd method
>>>>           is in beta and should be released with the next OS  
>>>> release.
>>>>
>>>>           Right now we're running argus 2.x and running rastream
>>>>           3.x on a non-Bivio machine.  The 2.x series compiles just
>>>>           fine (but no IPv6).
>>>>
>>>>           This was before Carter implemented any sort of Bivio
>>>>           changes, so I have not tested those.
>>>>
>>>>           Let me know if you have any questions.  I'm also
>>>>           interested in what else you might be using your Bivio  
>>>> for.
>>>>
>>>>           - Jason
>>>>
>>>>
>>>>           On Jun 22, 2009, at 4:49 PM, Eric Gustafson wrote:
>>>>
>>>>               Hi Carter et al,
>>>>               I'm trying to compile the latest test argus (3.0.2
>>>>               beta8) on one of our Bivio 7500s, and am running into
>>>>               linking trouble.
>>>>
>>>>               gcc -O3 -I.  -I./../include  -DPACKAGE_NAME=\"\"
>>>>               -DPACKAGE_TARNAME=\"\" -DPACKAGE_VERSION=\"\"
>>>>               -DPACKAGE_STRING=\"\" -DPACKAGE_BUGREPORT=\"\"
>>>>               -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1
>>>>               -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1
>>>>               -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1
>>>>               -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1
>>>>               -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_STRING_H=1
>>>>               -DHAVE_FCNTL_H=1 -DHAVE_SYS_FILE_H=1
>>>>               -DHAVE_SYSLOG_H=1 -DHAVE_SYS_VFS_H=1
>>>>               -DHAVE_VFPRINTF=1 -DHAVE_STRCASECMP=1 -DHAVE_STRDUP=1
>>>>               -DHAVE_STRFTIME=1 -DHAVE_SETLINEBUF=1 -DHAVE_ALARM=1
>>>>               -DHAVE_STRERROR=1 -DHAVE_STRTOF=1
>>>>               -DHAVE_SYS_BITYPES_H=1 -DHAVE_INTTYPES_H=1
>>>>               -DHAVE_VSNPRINTF=1 -DHAVE_SNPRINTF=1
>>>>               -DHAVE_GETADDRINFO=1 -DHAVE_ETHER_HOSTTON=1
>>>>               -DHAVE_NETINET_ETHER_H=1
>>>>               -DNETINET_ETHER_H_DECLARES_ETHER_HOSTTON=
>>>>               -DHAVE_DECL_ETHER_HOSTTON=1 -D_FILE_OFFSET_BITS=64
>>>>               -DHAVE_TCP_WRAPPER=1 -DLBL_ALIGN=1 -DSTDC_HEADERS=1
>>>>               -DARGUS_SYSLOG=1 -o ../bin/argus argus.o
>>>>               ArgusModeler.o ArgusSource.o ArgusUtil.o
>>>>               ArgusOutput.o ArgusUdp.o ArgusTcp.o ArgusIcmp.o
>>>>               ArgusIgmp.o ArgusEsp.o ArgusArp.o ArgusFrag.o
>>>>               ArgusAuth.o ArgusApp.o  ../lib/libpcap.a -lwrap -lnsl
>>>>                ../lib/argus_common.a -lm
>>>>               ArgusSource.o: In function
>>>>               `ArgusGetPackets':ArgusSource.c:(.text+0x2cf8):
>>>>               undefined reference to `pcap_get_selectable_fd'
>>>>               :ArgusSource.c:(.text+0x2d90): undefined reference to
>>>>               `pcap_next_ex'
>>>>               :ArgusSource.c:(.text+0x2dcc): undefined reference to
>>>>               `pcap_next_ex'
>>>>               :ArgusSource.c:(.text+0x2e08): undefined reference to
>>>>               `pcap_next_ex'
>>>>               :ArgusSource.c:(.text+0x2e44): undefined reference to
>>>>               `pcap_next_ex'
>>>>               :ArgusSource.c:(.text+0x2eac): undefined reference to
>>>>               `pcap_next_ex'
>>>>               ArgusSource.o:ArgusSource.c:(.text+0x2ec8): more
>>>>               undefined references to `pcap_next_ex' follow
>>>>               collect2: ld returned 1 exit status
>>>>               make[1]: *** [../bin/argus] Error 1
>>>>               make[1]: Leaving directory
>>>>               `/bivio/shared/root/argus-3.0.1.beta.3/argus'
>>>>               ### Done with /root/argus-3.0.1.beta.3/argus
>>>>
>>>>               I configured with --with-libpcap=/usr/lib/zcp/, which
>>>>               is where Bivio stashes its special version of  
>>>> libpcap.
>>>>               I noticed your mention of "changes to support Bivio
>>>>               hardware" for this release, but I didn't see any
>>>>               instructions regarding extra steps to get it to work.
>>>>               Any ideas?
>>>>
>>>>               Thanks so much,
>>>>               Eric
>>>>
>>>>
>>>>
>>>>
>>>>       Carter Bullard
>>>>       CEO/President
>>>>       QoSient, LLC
>>>>       150 E 57th Street Suite 12D
>>>>       New York, New York  10022
>>>>
>>>>       +1 212 588-9133 Phone
>>>>       +1 212 588-9134 Fax
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> <argus-bivio-support-files.tar.gz>
>>>
>>
>>
>
>

Peter Van Epp | 6 Aug 01:58 2009
Picon
Picon

Re: Argus on Bivio 7500

<snip>
>
> The other thing I noticed is that there is no way to start argus  
> listening on the interface called "default".  According to the Bivio  
> manual, it's a pseudo-interface name that allows capture on all  
> interfaces that might be bound to that inspection group that the Bivio's 
> customized pcap handles internally.  For example, we have two interfaces 
> at 10G each from a network that we are monitoring.  We'd want to monitor 
> both interfaces at the same time.  It's a lot easier to monitor "default" 
> instead of monitoring s0.e0 and s1.e0.  Right now, argus just quits with 
> no error message.
>
> Specifying multiple interfaces on the command line does not work either, 
> for example:
>
> [Bivio] root <at> CPU-3c0 ~$ /usr/local/sbin/argus -X -U 128 -i s1.e0 -i  
> s2.e0 -P 561 -e 1 - ip
> argus[26239]: 05 Aug 09 15:17:52.400570 ArgusOpenInterface:  
> pcap_open_live zcopy_open: Can't MMAP to kernel (errno 12)
>
<snip>

	You need to figure out what interface the Bivio thinks is "default".
You might try no -i which will use the default (usually the first it finds)
interface and see if that is default in this case. Otherwise if you have
something that runs on the default interface that you have source to you can
run gdb on the pcap open and see what device it is using and argus should be
happy with the same one. A look at the FreeBSD pcap man page indicates the
pcap_findalldevs() call will list all interfaces. I'm not a aware of a command
that displays this but there may be one, other wise there is always C :-).
If you eliminate the known interfaces whats left (if anything is left) should
be default. Ah! tcpdump -D should print the list of available interfaces
perhaps saving you some coding :-). My freeBSD box says (as root):

tcpdump -D 
1.nfe0
2.lo0

1 is the NIC 2 is the loopback interface. In your case I'd expect the known
interfaces, "default" and a loopback interface. It may be also worth trying
the lo0 interface as default. Good luck :-) You likely need to use a Bivio
aware copy of tcpdump if there is such a thing as well (may not be libpcap
should be standard from the user side of things). 
	On standard NICs two interfaces as you are specifying used to work
(I no longer have access to the machine where I used to run this way thus the
"used to" :-)). From the error message I think it still does, the Bivio libpcap
looks to not like trying to open the same mapping twice. As far as I remember
the linux pf-ring code used to let me do the two NIC version with 2 -i commands
and it does a similar mmap operation to avoid the kernel to userland memory 
copy so it should be a Bivio limitation (probably fixable by knowing how to 
specify default from the sounds of it).

Peter Van Epp

Jason Carr | 6 Aug 16:22 2009
Picon

Re: Argus on Bivio 7500

Sorry, maybe I was not clear...  what I meant to say is that if you  
run tethereal -i default it will capture everything on any devices  
that the node has been assigned to use (tcpdump doesn't work right on  
Bivio but tethereal does).

I attached the debug log for argus when I run argus:

/usr/local/sbin/argus -X -U 128 -i default -P 561 -e 1 -D 999
argus[459]: 06 Aug 09 10:17:19.904605 ArgusCalloc (1, 712) returning 0x1012d008
argus[459]: 06 Aug 09 10:17:19.905025 ArgusCalloc (1, 40) returning 0x1012d330
argus[459]: 06 Aug 09 10:17:19.905064 ArgusNewList () returning 0x1012d330
argus[459]: 06 Aug 09 10:17:19.905107 ArgusCalloc (1, 20) returning 0x1012d360
argus[459]: 06 Aug 09 10:17:19.905154 ArgusCalloc (65536, 4) returning 0x3002f008
argus[459]: 06 Aug 09 10:17:19.905190 ArgusNewHashTable (65536) returning 0x1012d360
argus[459]: 06 Aug 09 10:17:19.905228 ArgusCalloc (1, 104) returning 0x1012d378
argus[459]: 06 Aug 09 10:17:19.905261 ArgusCalloc (1, 64) returning 0x1012d3e8
argus[459]: 06 Aug 09 10:17:19.905295 ArgusNewQueue () returning 0x1012d3e8
argus[459]: 06 Aug 09 10:17:19.905333 ArgusCalloc (1, 64) returning 0x1012d930
argus[459]: 06 Aug 09 10:17:19.905368 ArgusNewQueue () returning 0x1012d930
argus[459]: 06 Aug 09 10:17:19.905403 ArgusCalloc (1, 112) returning 0x1012d978
argus[459]: 06 Aug 09 10:17:19.905436 ArgusNewModeler() returning 0x1012d008
argus[459]: 06 Aug 09 10:17:19.905478 ArgusCalloc (1, 330600) returning 0x30070008
argus[459]: 06 Aug 09 10:17:19.905527 ArgusNewSource() returning 0x30070008
argus[459]: 06 Aug 09 10:17:19.905565 ArgusCalloc (1, 136) returning 0x1012d9f0
argus[459]: 06 Aug 09 10:17:19.905601 ArgusCalloc (1, 64) returning 0x1012da80
argus[459]: 06 Aug 09 10:17:19.905639 ArgusNewQueue () returning 0x1012da80
argus[459]: 06 Aug 09 10:17:19.905673 ArgusNewOutput() returning retn 0x1012d9f0
argus[459]: 06 Aug 09 10:17:19.905719 setArgusMarReportInterval(60) returning
argus[459]: 06 Aug 09 10:17:19.905776 setArgusID(0x1012d008, 0x0) done
argus[459]: 06 Aug 09 10:17:19.905825 ArgusDeleteList (0x0, 2) returning
argus[459]: 06 Aug 09 10:17:19.905873 clearArgusDevice(0x30070008) returning
argus[459]: 06 Aug 09 10:17:19.905906 setArgusPortNum(0) returning
argus[459]: 06 Aug 09 10:17:19.905940 setArgusMarReportInterval(60) returning
argus[459]: 06 Aug 09 10:17:19.905982 clearArgusConfiguration () returning
argus[459]: 06 Aug 09 10:17:19.906016 clearArgusDevice(0x30070008) returning
argus[459]: 06 Aug 09 10:17:19.906055 ArgusCalloc (1, 40) returning 0x1012d430
argus[459]: 06 Aug 09 10:17:19.906089 ArgusNewList () returning 0x1012d430
argus[459]: 06 Aug 09 10:17:19.906134 ArgusCalloc (1, 8) returning 0x1012dac8
argus[459]: 06 Aug 09 10:17:19.906173 ArgusPushFrontList (0x1012d430, 0x1012dac8, 1) returning 0x1012dad8
argus[459]: 06 Aug 09 10:17:19.906208 setArgusDevice(default) returning
argus[459]: 06 Aug 09 10:17:19.906250 setArgusPortNum(561) returning
argus[459]: 06 Aug 09 10:17:19.906294 setArgusID(0x1012d008, 0x1) done
argus[459]: 06 Aug 09 10:17:19.906335 setArgusInterfaceStatus(1)
argus[459]: 06 Aug 09 10:17:19.907117 ArgusPopFrontList (0x1012dac8) returning
argus[459]: 06 Aug 09 10:17:19.928253 ArgusOpenInterface() pcap_open_live(default) returned 0x1012dae8
argus[459]: 06 Aug 09 10:17:19.928339 Arguslookup_pcap_callback(1) returning 0x1000e940
argus[459]: 06 Aug 09 10:17:19.928379 ArgusOpenInterface(0x30070008, 'default') returning
argus[459]: 06 Aug 09 10:17:19.928411 ArgusPushBackList (0x1012d430, 0x1012dac8, 1) returning 1
argus[459]: 06 Aug 09 10:17:19.928512 ArgusInitSource() returning
argus[459]: 06 Aug 09 10:17:19.928553 ArgusCalloc (1, 40) returning 0x1012dd38
argus[459]: 06 Aug 09 10:17:19.928586 ArgusNewList () returning 0x1012dd38
argus[459]: 06 Aug 09 10:17:19.928626 ArgusCalloc (1, 128) returning 0x1012dd68
argus[459]: 06 Aug 09 10:17:19.928663 ArgusGenerateInitialMar() returning
argus[459]: 06 Aug 09 10:17:19.933547 ArgusEstablishListen(561, 0x7f8c3258) binding: any:561
family: 2
argus[459]: 06 Aug 09 10:17:19.933646 ArgusEstablishListen(561, 0x7f8c3258) returning 4
argus[459]: 06 Aug 09 10:17:19.933685 ArgusInitOutput() done
argus[459]: 06 Aug 09 10:17:19.933729 started
argus[459]: 06 Aug 09 10:17:19.933874 ArgusCalloc (1, 32) returning 0x1012ddf0
argus[459]: 06 Aug 09 10:17:19.933911 ArgusInitMallocList (632) returning
argus[459]: 06 Aug 09 10:17:19.933943 ArgusInitModeler() done
argus[459]: 06 Aug 09 10:17:19.933980 ArgusGetPackets (0x30070008) starting
argus[459]: 06 Aug 09 10:17:19.934034 ArgusPopFrontList (0x1012dac8) returning
argus[459]: 06 Aug 09 10:17:19.934071 ArgusPushFrontList (0x1012d430, 0x1012dac8, 1) returning 0xd032
argus[459]: 06 Aug 09 10:17:19.953894 setArgusInterfaceStatus(0)
argus[459]: 06 Aug 09 10:17:19.989382 ArgusProcessQueueTimeout(0x1012d008, 0x1012d3e8) done
argus[459]: 06 Aug 09 10:17:19.989445 ArgusQueueManager() turns 1    statusQueue 0    qs 0  items 0    cache 0     
resort 0      reclaim 0      new 0      sends 0        bsends 0       
argus[459]: 06 Aug 09 10:17:19.989498 ArgusOutputProcess(0x1012d9f0) starting
argus[459]: 06 Aug 09 10:17:19.989551 ArgusOutputStatusTime(0x1012d9f0) done
argus[459]: 06 Aug 09 10:17:19.989588 ArgusGetPackets () returning
argus[459]: 06 Aug 09 10:17:19.989621 main() ArgusGetPackets returned: shuting down

argus[459]: 06 Aug 09 10:17:19.989673 ArgusShutDown(Normal Shutdown)

argus[459]: 06 Aug 09 10:17:19.989707 ArgusCloseSource(0x30070008) starting
argus[459]: 06 Aug 09 10:17:19.989744 ArgusPopFrontList (0x1012dac8) returning
argus[459]: 06 Aug 09 10:17:19.989775 ArgusFree (0x1012dac8)
argus[459]: 06 Aug 09 10:17:19.989816 ArgusFree (0x1012d430)
argus[459]: 06 Aug 09 10:17:19.989852 ArgusDeleteList (0x1012d430, 3) returning
argus[459]: 06 Aug 09 10:17:19.989886 ArgusCloseSource(0x30070008) deleting source
argus[459]: 06 Aug 09 10:17:19.989928 ArgusModelerCleanUp ArgusProcessQueue(0x1012d3e8)
processing status queue with 0 records
argus[459]: 06 Aug 09 10:17:19.989962 ArgusPopQueue (0x1012d3e8) returning 0x0
argus[459]: 06 Aug 09 10:17:19.989998 ArgusFree (0x1012d3e8)
argus[459]: 06 Aug 09 10:17:19.990031 ArgusDeleteQueue (0x1012d3e8) returning
argus[459]: 06 Aug 09 10:17:19.990063 ArgusModelerCleanUp () returning
argus[459]: 06 Aug 09 10:17:19.990112 ArgusFree (0x3002f008)
argus[459]: 06 Aug 09 10:17:19.990152 ArgusFree (0x1012d360)
argus[459]: 06 Aug 09 10:17:19.990194 ArgusCalloc (1, 660) returning 0x1012de18
argus[459]: 06 Aug 09 10:17:19.990231 ArgusMallocListRecord (632) returning 0x1012de34
argus[459]: 06 Aug 09 10:17:19.990265 ArgusGenerateListRecord (0x1012d008, 0x0, 48) done
argus[459]: 06 Aug 09 10:17:19.990299 ArgusPushBackList (0x1012d330, 0x1012de34, 1) returning 1
argus[459]: 06 Aug 09 10:17:19.990333 ArgusCloseModeler(0x1012d008) pushing close record 0x1012de34
argus[459]: 06 Aug 09 10:17:19.990370 ArgusFree (0x1012d378)
argus[459]: 06 Aug 09 10:17:19.990406 ArgusFree (0x1012d978)
argus[459]: 06 Aug 09 10:17:19.990436 ArgusCloseModeler(0x1012d008)
argus[459]: 06 Aug 09 10:17:19.990471 ArgusCloseOutput() scheduling closure after writing records
argus[459]: 06 Aug 09 10:17:19.990504 ArgusOutputProcess(0x1012d9f0) starting
argus[459]: 06 Aug 09 10:17:19.990538 ArgusOutputStatusTime(0x1012d9f0) done
argus[459]: 06 Aug 09 10:17:19.990574 ArgusLoadList (0x1012d330, 0x1012dd38) load 1 objects
argus[459]: 06 Aug 09 10:17:19.990608 ArgusPopFrontList (0x1012de34) returning
argus[459]: 06 Aug 09 10:17:19.990643 ArgusOutputProcess() received rec 0x1012de34 totals 1 seq 0
argus[459]: 06 Aug 09 10:17:19.990677 ArgusFreeListRecord (0x1012de34) returning
argus[459]: 06 Aug 09 10:17:19.990711 ArgusMallocListRecord (632) returning 0x1012de34
argus[459]: 06 Aug 09 10:17:19.990751 ArgusGenerateStatusMarRecord(0x1012d9f0, 48) returning 0x1012de34
argus[459]: 06 Aug 09 10:17:19.990785 ArgusOutputProcess() received stop record 0 records on the list
argus[459]: 06 Aug 09 10:17:19.990820 ArgusFreeListRecord (0x1012de34) returning
argus[459]: 06 Aug 09 10:17:19.990853 ArgusFree (0x1012d330)
argus[459]: 06 Aug 09 10:17:19.990884 ArgusDeleteList (0x1012d330, 4) returning
argus[459]: 06 Aug 09 10:17:19.990920 ArgusFree (0x1012dd38)
argus[459]: 06 Aug 09 10:17:19.990953 ArgusDeleteList (0x1012dd38, 4) returning
argus[459]: 06 Aug 09 10:17:19.990986 ArgusFree (0x1012dd68)
argus[459]: 06 Aug 09 10:17:19.991017 ArgusCloseOutput(0x1012d9f0) done
argus[459]: 06 Aug 09 10:17:19.991050 ArgusFree (0x1012d9f0)
argus[459]: 06 Aug 09 10:17:19.991083 ArgusFree (0x1012d008)
argus[459]: 06 Aug 09 10:17:19.991168 ArgusFree (0x30070008)
argus[459]: 06 Aug 09 10:17:19.991220 ArgusShutDown()

On Aug 5, 2009, at 7:58 PM, Peter Van Epp wrote:

> <snip>
>>
>> The other thing I noticed is that there is no way to start argus
>> listening on the interface called "default".  According to the Bivio
>> manual, it's a pseudo-interface name that allows capture on all
>> interfaces that might be bound to that inspection group that the  
>> Bivio's
>> customized pcap handles internally.  For example, we have two  
>> interfaces
>> at 10G each from a network that we are monitoring.  We'd want to  
>> monitor
>> both interfaces at the same time.  It's a lot easier to monitor  
>> "default"
>> instead of monitoring s0.e0 and s1.e0.  Right now, argus just quits  
>> with
>> no error message.
>>
>> Specifying multiple interfaces on the command line does not work  
>> either,
>> for example:
>>
>> [Bivio] root <at> CPU-3c0 ~$ /usr/local/sbin/argus -X -U 128 -i s1.e0 -i
>> s2.e0 -P 561 -e 1 - ip
>> argus[26239]: 05 Aug 09 15:17:52.400570 ArgusOpenInterface:
>> pcap_open_live zcopy_open: Can't MMAP to kernel (errno 12)
>>
> <snip>
>
> 	You need to figure out what interface the Bivio thinks is "default".
> You might try no -i which will use the default (usually the first it  
> finds)
> interface and see if that is default in this case. Otherwise if you  
> have
> something that runs on the default interface that you have source to  
> you can
> run gdb on the pcap open and see what device it is using and argus  
> should be
> happy with the same one. A look at the FreeBSD pcap man page  
> indicates the
> pcap_findalldevs() call will list all interfaces. I'm not a aware of  
> a command
> that displays this but there may be one, other wise there is always  
> C :-).
> If you eliminate the known interfaces whats left (if anything is  
> left) should
> be default. Ah! tcpdump -D should print the list of available  
> interfaces
> perhaps saving you some coding :-). My freeBSD box says (as root):
>
> tcpdump -D
> 1.nfe0
> 2.lo0
>
> 1 is the NIC 2 is the loopback interface. In your case I'd expect  
> the known
> interfaces, "default" and a loopback interface. It may be also worth  
> trying
> the lo0 interface as default. Good luck :-) You likely need to use a  
> Bivio
> aware copy of tcpdump if there is such a thing as well (may not be  
> libpcap
> should be standard from the user side of things).
> 	On standard NICs two interfaces as you are specifying used to work
> (I no longer have access to the machine where I used to run this way  
> thus the
> "used to" :-)). From the error message I think it still does, the  
> Bivio libpcap
> looks to not like trying to open the same mapping twice. As far as I  
> remember
> the linux pf-ring code used to let me do the two NIC version with 2 - 
> i commands
> and it does a similar mmap operation to avoid the kernel to userland  
> memory
> copy so it should be a Bivio limitation (probably fixable by knowing  
> how to
> specify default from the sounds of it).
>
> Peter Van Epp
>


Gmane