Argus Memory Problem?

Peter Van Epp vanepp at sfu.ca
Fri Sep 29 11:43:52 EDT 2000


	At a quick glance it does look likely to be a memory leak. A set of 
pses a few minutes apart of the currently rerunning argus. The first process
appears to be constantly growing ... The two tasks left running from the crash
last night don't look to be a problem, but the primary task may have been.
There is 512 megs of RAM and 2 gigs of swap on this machine.


demoa# ps auxw |grep argus
root    7333  0.0  4.1 22544 21224  p0  S     8:11AM   0:05.02 argus_bpf -irl0 -m -wargus.log
root    7334  0.0  0.1  1912  484  p0  S     8:11AM   0:00.63 argus_bpf -irl0 -m -wargus.log
root    7335  0.0  0.1  1916  484  p0  S     8:11AM   0:01.63 argus_bpf -irl0 -m -wargus.log
demoa# !!
ps auxw | grep argus
root    7333  0.0  4.1 22552 21232  p0  S     8:11AM   0:05.11 argus_bpf -irl0 -m -wargus.log
root    7334  0.0  0.1  1912  484  p0  S     8:11AM   0:00.64 argus_bpf -irl0 -m -wargus.log
root    7335  0.0  0.1  1916  484  p0  S     8:11AM   0:01.66 argus_bpf -irl0 -m -wargus.log
demoa# !!
ps auxw | grep argus
root    7333  0.0  4.1 22568 21248  p0  S     8:11AM   0:05.14 argus_bpf -irl0 -m -wargus.log
root    7334  0.0  0.1  1912  484  p0  S     8:11AM   0:00.65 argus_bpf -irl0 -m -wargus.log
root    7335  0.0  0.1  1916  484  p0  S     8:11AM   0:01.67 argus_bpf -irl0 -m -wargus.log

	Yep I'd guess memory leak, it looks like its continuing to grow:

ps auxw | grep argus
root    7333  0.0  4.4 24400 23080  p0  S     8:11AM   0:05.79 argus_bpf -irl0 -m -wargus.log
root    7334  0.0  0.1  1912  484  p0  S     8:11AM   0:00.72 argus_bpf -irl0 -m -wargus.log
root    7335  0.0  0.1  1916  484  p0  S     8:11AM   0:01.85 argus_bpf -irl0 -m -wargus.log
demoa# !!
ps auxw | grep argus
root    7333  0.0  4.6 25152 23832  p0  S     8:11AM   0:06.47 argus_bpf -irl0 -m -wargus.log
root    7334  0.0  0.1  1912  484  p0  S     8:11AM   0:00.80 argus_bpf -irl0 -m -wargus.log
root    7335  0.0  0.1  1916  484  p0  S     8:11AM   0:02.05 argus_bpf -irl0 -m -wargus.log

	Its currently 08:30 here. I'll do a ps later today (I'm going to be 
gone til this afternoon in a while) and see if its still growing.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



> 
> Well, I spoke too soon.  I just sent mail to Mark P. that
> he was the only one getting seg faults.  OK, I'm on it.
> Looks like its having problems in ArgusCalloc().
> So there was a return NULL problem probably, but, .....,
> it looks like the most plausible cause was that you ran
> out of memory.  malloc() returned NULL.  I blew up.
> 
> Russell mentioned that he was running out of swap space,
> and I think someone else had that problem.  Memory leak?
> Anyone check the size of their processes when there was
> the problem?
> 
> Carter
> 
> -----Original Message-----
> From: owner-argus at lists.andrew.cmu.edu
> [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Peter Van Epp
> Sent: Friday, September 29, 2000 10:58 AM
> To: argus
> Subject: Re: pthreads on FreeBSD
> 
> 
> 	It appears to have run without time stamp corruption up til 2 AM:
> 
> demoa# !! | grep -v "^29"
> ra -r argus.log -c -n | grep -v "^28" | grep -v "^29"
> demoa#
> 
> when it crashed on something:
> 
> demoa# gdb argus_bpf argus_bpf.core
> GNU gdb 4.18
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i386-unknown-freebsd"...
> Core was generated by `argus_bpf'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /usr/lib/libm.so.2...done.
> Reading symbols from /usr/lib/libc.so.4...done.
> Reading symbols from /usr/libexec/ld-elf.so.1...done.
> #0  0x28115fba in bzero () from /usr/lib/libc.so.4
> (gdb) where
> #0  0x28115fba in bzero () from /usr/lib/libc.so.4
> #1  0x104 in ?? ()
> #2  0x804a2b9 in ArgusNewFlow () at ./ArgusModeler.c:374
> #3  0x804a1f9 in ArgusProcessPacket (ep=0x80777e0, length=62, tvp=0x81c15f4)
>     at ./ArgusModeler.c:323
> #4  0x804d596 in ArgusEtherPacket (user=0x0, h=0x81c15f4, p=0x81c1606 "\b")
>     at ./ArgusSource.c:350
> #5  0x8056110 in pcap_read ()
> #6  0x804dbfa in ArgusGetPackets () at ./ArgusSource.c:703
> #7  0x8049d4b in ArgusLoop () at ./argus.c:267
> #8  0x8049c4e in main (argc=4, argv=0xbfbffbf0) at ./argus.c:189
> #9  0x80496fd in _start ()
> (gdb) print ep
> No symbol "ep" in current context.
> (gdb) up
> #1  0x104 in ?? ()
> (gdb) up
> #2  0x804a2b9 in ArgusNewFlow () at ./ArgusModeler.c:374
> 374           if ((retn = (struct ArgusFlowStruct *) ArgusCalloc (1, sizeof
> (struct ArgusFlowStruct))) != NULL) {
> (gdb) print ep
> No symbol "ep" in current context.
> (gdb) up
> #3  0x804a1f9 in ArgusProcessPacket (ep=0x80777e0, length=62, tvp=0x81c15f4)
>     at ./ArgusModeler.c:323
> 323                          flow = ArgusNewFlow();
> (gdb) print ep
> $1 = (struct ether_header *) 0x80777e0
> (gdb) print *ep
> $2 = {ether_dhost = {ether_addr_octet = "\b\000 \233k>"}, ether_shost = {
>     ether_addr_octet = "\000`c\002RB"}, ether_type = 2048}
> (gdb) q
> 
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
> 
> 
> >
> > Hey Neil,
> >    I ripped out all the threads in argus and
> > made the components big old processes.  Primarily
> > to support flex/bison based filtering in each
> > one.  It was easier to do that than fixing the
> > problem we were having.  Still, thanks for the
> > heads up!!!
> >
> >    We may have found the bogus timestamp problem,
> > as the new version of 2.0.0j is still(?) running
> > at Peter's without a time glitch.  I was convinced
> > the problem was caused by everybody and thing
> > other than my inability to program a computer.  But
> > reality won out in the end ;o)
> >
> > Carter
> >
> 
> ------=_NextPart_000_009E_01C02A08.429AA570
> Content-Type: text/html;
> 	charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3DWindows-1252">
> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
> 6.0.4417.0">
> <TITLE>Argus Memory Problem?</TITLE>
> </HEAD>
> <BODY>
> <!-- Converted from text/plain format -->
> 
> <P><FONT SIZE=3D2>Well, I spoke too soon.  I just sent mail to Mark =
> P. that</FONT>
> 
> <BR><FONT SIZE=3D2>he was the only one getting seg faults.  OK, I'm =
> on it.</FONT>
> 
> <BR><FONT SIZE=3D2>Looks like its having problems in =
> ArgusCalloc().</FONT>
> 
> <BR><FONT SIZE=3D2>So there was a return NULL problem probably, but, =
> .....,</FONT>
> 
> <BR><FONT SIZE=3D2>it looks like the most plausible cause was that you =
> ran</FONT>
> 
> <BR><FONT SIZE=3D2>out of memory.  malloc() returned NULL.  I =
> blew up.</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>Russell mentioned that he was running out of swap =
> space,</FONT>
> 
> <BR><FONT SIZE=3D2>and I think someone else had that problem.  =
> Memory leak?</FONT>
> 
> <BR><FONT SIZE=3D2>Anyone check the size of their processes when there =
> was</FONT>
> 
> <BR><FONT SIZE=3D2>the problem?</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>Carter</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>-----Original Message-----</FONT>
> 
> <BR><FONT SIZE=3D2>From: owner-argus at lists.andrew.cmu.edu</FONT>
> 
> <BR><FONT SIZE=3D2>[<A =
> HREF=3D"mailto:owner-argus at lists.andrew.cmu.edu">mailto:owner-argus at lists=
> .andrew.cmu.edu</A>]On Behalf Of Peter Van Epp</FONT>
> 
> <BR><FONT SIZE=3D2>Sent: Friday, September 29, 2000 10:58 AM</FONT>
> 
> <BR><FONT SIZE=3D2>To: argus</FONT>
> 
> <BR><FONT SIZE=3D2>Subject: Re: pthreads on FreeBSD</FONT>
> </P>
> <BR>
> 
> <P>        <FONT SIZE=3D2>It appears =
> to have run without time stamp corruption up til 2 AM:</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>demoa# !! | grep -v "^29"</FONT>
> 
> <BR><FONT SIZE=3D2>ra -r argus.log -c -n | grep -v "^28" | =
> grep -v "^29"</FONT>
> 
> <BR><FONT SIZE=3D2>demoa# </FONT>
> </P>
> 
> <P><FONT SIZE=3D2>when it crashed on something:</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>demoa# gdb argus_bpf argus_bpf.core</FONT>
> 
> <BR><FONT SIZE=3D2>GNU gdb 4.18</FONT>
> 
> <BR><FONT SIZE=3D2>Copyright 1998 Free Software Foundation, Inc.</FONT>
> 
> <BR><FONT SIZE=3D2>GDB is free software, covered by the GNU General =
> Public License, and you are</FONT>
> 
> <BR><FONT SIZE=3D2>welcome to change it and/or distribute copies of it =
> under certain conditions.</FONT>
> 
> <BR><FONT SIZE=3D2>Type "show copying" to see the =
> conditions.</FONT>
> 
> <BR><FONT SIZE=3D2>There is absolutely no warranty for GDB.  Type =
> "show warranty" for details.</FONT>
> 
> <BR><FONT SIZE=3D2>This GDB was configured as =
> "i386-unknown-freebsd"...</FONT>
> 
> <BR><FONT SIZE=3D2>Core was generated by `argus_bpf'.</FONT>
> 
> <BR><FONT SIZE=3D2>Program terminated with signal 11, Segmentation =
> fault.</FONT>
> 
> <BR><FONT SIZE=3D2>Reading symbols from =
> /usr/lib/libm.so.2...done.</FONT>
> 
> <BR><FONT SIZE=3D2>Reading symbols from =
> /usr/lib/libc.so.4...done.</FONT>
> 
> <BR><FONT SIZE=3D2>Reading symbols from =
> /usr/libexec/ld-elf.so.1...done.</FONT>
> 
> <BR><FONT SIZE=3D2>#0  0x28115fba in bzero () from =
> /usr/lib/libc.so.4</FONT>
> 
> <BR><FONT SIZE=3D2>(gdb) where</FONT>
> 
> <BR><FONT SIZE=3D2>#0  0x28115fba in bzero () from =
> /usr/lib/libc.so.4</FONT>
> 
> <BR><FONT SIZE=3D2>#1  0x104 in ?? ()</FONT>
> 
> <BR><FONT SIZE=3D2>#2  0x804a2b9 in ArgusNewFlow () at =
> ./ArgusModeler.c:374</FONT>
> 
> <BR><FONT SIZE=3D2>#3  0x804a1f9 in ArgusProcessPacket =
> (ep=3D0x80777e0, length=3D62, tvp=3D0x81c15f4)</FONT>
> 
> <BR><FONT SIZE=3D2>    at ./ArgusModeler.c:323</FONT>
> 
> <BR><FONT SIZE=3D2>#4  0x804d596 in ArgusEtherPacket (user=3D0x0, =
> h=3D0x81c15f4, p=3D0x81c1606 "\b")</FONT>
> 
> <BR><FONT SIZE=3D2>    at ./ArgusSource.c:350</FONT>
> 
> <BR><FONT SIZE=3D2>#5  0x8056110 in pcap_read ()</FONT>
> 
> <BR><FONT SIZE=3D2>#6  0x804dbfa in ArgusGetPackets () at =
> ./ArgusSource.c:703</FONT>
> 
> <BR><FONT SIZE=3D2>#7  0x8049d4b in ArgusLoop () at =
> ./argus.c:267</FONT>
> 
> <BR><FONT SIZE=3D2>#8  0x8049c4e in main (argc=3D4, =
> argv=3D0xbfbffbf0) at ./argus.c:189</FONT>
> 
> <BR><FONT SIZE=3D2>#9  0x80496fd in _start ()</FONT>
> 
> <BR><FONT SIZE=3D2>(gdb) print ep</FONT>
> 
> <BR><FONT SIZE=3D2>No symbol "ep" in current context.</FONT>
> 
> <BR><FONT SIZE=3D2>(gdb) up</FONT>
> 
> <BR><FONT SIZE=3D2>#1  0x104 in ?? ()</FONT>
> 
> <BR><FONT SIZE=3D2>(gdb) up</FONT>
> 
> <BR><FONT SIZE=3D2>#2  0x804a2b9 in ArgusNewFlow () at =
> ./ArgusModeler.c:374</FONT>
> 
> <BR><FONT =
> SIZE=3D2>374           =
> if ((retn =3D (struct ArgusFlowStruct *) ArgusCalloc (1, sizeof (struct =
> ArgusFlowStruct))) !=3D NULL) {</FONT>
> 
> <BR><FONT SIZE=3D2>(gdb) print ep</FONT>
> 
> <BR><FONT SIZE=3D2>No symbol "ep" in current context.</FONT>
> 
> <BR><FONT SIZE=3D2>(gdb) up</FONT>
> 
> <BR><FONT SIZE=3D2>#3  0x804a1f9 in ArgusProcessPacket =
> (ep=3D0x80777e0, length=3D62, tvp=3D0x81c15f4)</FONT>
> 
> <BR><FONT SIZE=3D2>    at ./ArgusModeler.c:323</FONT>
> 
> <BR><FONT =
> SIZE=3D2>323          &=
> nbsp;           &n=
> bsp;   flow =3D ArgusNewFlow();</FONT>
> 
> <BR><FONT SIZE=3D2>(gdb) print ep</FONT>
> 
> <BR><FONT SIZE=3D2>$1 =3D (struct ether_header *) 0x80777e0</FONT>
> 
> <BR><FONT SIZE=3D2>(gdb) print *ep</FONT>
> 
> <BR><FONT SIZE=3D2>$2 =3D {ether_dhost =3D {ether_addr_octet =3D =
> "\b\000 \233k>"}, ether_shost =3D {</FONT>
> 
> <BR><FONT SIZE=3D2>    ether_addr_octet =3D =
> "\000`c\002RB"}, ether_type =3D 2048}</FONT>
> 
> <BR><FONT SIZE=3D2>(gdb) q</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>Peter Van Epp / Operations and Technical Support =
> </FONT>
> 
> <BR><FONT SIZE=3D2>Simon Fraser University, Burnaby, B.C. Canada</FONT>
> </P>
> <BR>
> 
> <P><FONT SIZE=3D2>> </FONT>
> 
> <BR><FONT SIZE=3D2>> Hey Neil,</FONT>
> 
> <BR><FONT SIZE=3D2>>    I ripped out all the threads =
> in argus and</FONT>
> 
> <BR><FONT SIZE=3D2>> made the components big old processes.  =
> Primarily</FONT>
> 
> <BR><FONT SIZE=3D2>> to support flex/bison based filtering in =
> each</FONT>
> 
> <BR><FONT SIZE=3D2>> one.  It was easier to do that than fixing =
> the</FONT>
> 
> <BR><FONT SIZE=3D2>> problem we were having.  Still, thanks for =
> the</FONT>
> 
> <BR><FONT SIZE=3D2>> heads up!!!</FONT>
> 
> <BR><FONT SIZE=3D2>> </FONT>
> 
> <BR><FONT SIZE=3D2>>    We may have found the bogus =
> timestamp problem,</FONT>
> 
> <BR><FONT SIZE=3D2>> as the new version of 2.0.0j is still(?) =
> running</FONT>
> 
> <BR><FONT SIZE=3D2>> at Peter's without a time glitch.  I was =
> convinced</FONT>
> 
> <BR><FONT SIZE=3D2>> the problem was caused by everybody and =
> thing</FONT>
> 
> <BR><FONT SIZE=3D2>> other than my inability to program a =
> computer.  But</FONT>
> 
> <BR><FONT SIZE=3D2>> reality won out in the end ;o)</FONT>
> 
> <BR><FONT SIZE=3D2>> </FONT>
> 
> <BR><FONT SIZE=3D2>> Carter</FONT>
> 
> <BR><FONT SIZE=3D2>> </FONT>
> </P>
> 
> </BODY>
> </HTML>
> ------=_NextPart_000_009E_01C02A08.429AA570--
> 
> 



More information about the argus mailing list