nasty brokeness!

Carter Bullard carter at qosient.com
Sat Sep 23 10:05:15 EDT 2000 

Hey Peter,
Argus processes time in completely different
ways when it reads from a packet file vs. when
it reading off an interface.

When Argus is running in near real time, the concept
of ArgusGlobalTime is just system time and there are
a lot of situations where Argus is idle, not processing
packets, but busy grooming its internal structures.

When reading from a file, time is derived from the
packet headers themselves, rather than from the
system clock, there is no idle time at all in that
we are constantly processing packets until EOF.

With such major differences, its not surprising that
there may be a problem.  I'm just interested in the
fact that the problem occurs off the wire, rather
than out of the file.

I've already found a few gotchas with the time, now
that I'm looking into this particular problem, but
nothing yet that would explain your bug.  I'll see
what I can do this weekend.


Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 17A
New York, New York  10022

carter at qosient.com
Phone +1 212 813-9426
Fax   +1 212 813-9426

-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Peter Van Epp
Sent: Friday, September 22, 2000 9:38 PM
To: argus
Subject: nasty brokeness!


	The corrupted time stamp looks nasty. I launched (from a shell script)
tcpdump and argus against the same interface. I then gathered all their
PIDs and put them in a single kill -HUP (tcpdump then the 3 arguses). I then
periodically ran

ra -r argus.1.log -c -n |grep Wed

and

argus_bpf -r tcpdump.1.log -w - | ra -c -n |grep Wed

at some point the ra found "Wed" but the argus_bpf didn't (which matches an
earlier tcpdump I had run but which didn't start simultaneosly). At this
point I ran the kill leaving me with argus.1.log which argus_bpf had been
writing and tcpdump.1.log which tcpdump had been writing.

[Snip]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20000923/b3ae5332/attachment.html>

More information about the argus mailing list