seg fault

Carter Bullard carter at qosient.com
Fri Sep 22 07:26:32 EDT 2000 

Hey Peter,
   So, I fixed this problem for me by hacking tcpdump to handle
a range of packet numbers.  Tcpdump supports the -c option,
and I put in a hack to track multiple '-c's on the command
line.  The lesser of the -c's is the start count and the
greatest is the end count.  That helps a bit, but having
your own personal hacks to tcpdump() is not a great solution.

   If tcpclean() removes the problem, then that sez something
right there.  We are probably confused about the packet length
and are writing over someone else's buffer.  I'll look into
cleaning up all the length variables today.  But, getting
a tcpdump file that has the problem in it is key.  A strategy
that I use a lot is to start pruning back the tcpdump file, by
using things like "not tcp".  If the resulting file has the
problem, then that may be it, as it will be a much smaller
file.  If it doesn't then creating a "tcp" file and
move on to your favorite protocol, such as "not udp".  This
will get it into a protocol class.  That in some cases is
all we need, but if we can get a capture file that has the
problem, then a solution will be on the way.

Carter


-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Peter Van Epp
Sent: Friday, September 22, 2000 1:01 AM
To: argus
Subject: seg fault


	Hmmm, it looks to be something in the data field not a short packet.
I ran tcpdump and argus until it seg faulted. I can get a loop/seg fault
when
I cntrl-C from feeding the tcpdump file to argus_bpf. However running the
tcpdump file through tcpclean fixes it, the resulting file processes clean
with argus_bpf.
	That brings on a tcpclean option request: I can't find a way to select
records by time from tcpdump. It would be a useful thing to be able to
specify
a tcpdump format start and end time stamp and have tcpclean output only the
tcpdump records between those times (in this case a straight copy with no
data field manipulation).
	I ran the new argus for a while on my Internet link (IP only unlike
the backbone which has a bit of everything) and it seems to run fine there
indicating the seg fault is one of the odder protocols probably.

Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20000922/102aed14/attachment.html>

More information about the argus mailing list