[RE: problem with datafile size (argus 2.0.3)]

Carter Bullard carter at qosient.com
Sat Dec 1 09:40:17 EST 2001 

Hey Oleg,
   Yes, an argus record of length 3 is not good.
Each argus record has a detectable signature, and so
finding the next valid argus record is possible,
but the code to do this hasn't been written yet.

   The logic to find the correct argus record framing
would have to go into ./common/argus_parse.c.  Is this
datafile so very important that you need to recover
the data from it?  I can add the routines to auto recover
framing boundaries, but it will have to wait for a week
or two.

   If you're interested in writing the C routines
yourself, I can talk you through the logic, if that would
be helpful.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: Oleg [mailto:olleg at usa.net] 
> Sent: Saturday, December 01, 2001 5:19 AM
> To: carter at qosient.com
> Subject: Re: [RE: problem with datafile size (argus 2.0.3)]
> 
> 
> "Carter Bullard" <carter at qosient.com> wrote:
> >   First of all, what version of ra() are you running?
> 
> it's 2.0.3
> 
> > Is ra() seg faulting reading a file, or writing a file?
> 
> Reading.
> 
> > Have you run gdb() against the corefile?
> Yes, it shows:
> --------------------------------------------------------------
> ---------------
> GNU gdb 19991004
> This GDB was configured as "i386-redhat-linux"...
> Core was generated by `./ra -n -t 11/27.21 - 11/28.9 -r log - 
> tcp or udp'. Program terminated with signal 11, Segmentation 
> fault. Reading symbols from /lib/libc.so.6...done. Reading 
> symbols from /lib/ld-linux.so.2...done. #0  0x400730e4 in 
> chunk_free (ar_ptr=0x40107d60, p=0x8138de8) at malloc.c:3100
> 3100    malloc.c: No such file or directory.
> --------------------------------------------------------------
> ---------------
> 
> > Assuming that you're reading, do all ra* programs
> > die on the same record?  This may be the result of a 
> corrupted argus 
> > data file.
> 
> yes, i think You right, it's corrupted.
> i've copied datafile to another machine and now
> output from ra* looks like 
> ------------------------
> ra[613]: ArgusHandleDatum(0x367df) input record 49774 size = 3
> rasort[803]: ArgusHandleDatum(0x367df) input record 49774 size = 0
> ramon[812]: ArgusHandleDatum(0x367df) input record 49774 size 
> = 1073825352
> ragator[830]: ArgusHandleDatum(0x367df) input record 49774 size = 0
> ra[849]: ArgusHandleDatum(0x367df) input record 49774 size = 0
> ------------------------
> only racount does seg fault and gdb output is the same as above.
> 
> These are the last lines that ra can read from corrupted datafile:
> 23 Nov 01 13:43:52    tcp  217.106.95.166.2634   ->     
> 194.67.35.196.80   
> FIN
> 23 Nov 01 13:43:52    tcp  217.106.95.166.2636   ->   
> 213.180.194.113.80   
> FIN
> 23 Nov 01 13:43:56    tcp  217.106.95.166.2637   ->   
> 213.180.194.113.80   
> FIN
> 23 Nov 01 13:43:47    tcp  217.106.95.166.2630   ->   
> 213.180.194.130.80   
> FIN
> 23 Nov 01 13:44:04    tcp  217.106.95.166.2641   ->    
> 195.90.131.250.80   
> FIN
> 21 Oct 30 04:57:32   unkn 7c:a4:98:c5:bd:9e     <->  
> 2c:3f:f5:b2:d9:8b     
> TIM
> 
> 
> > If it is a corrupted argus record, there is not much
> > you can do getting past the current file, although recovery is 
> > possible, just a bit complicated.
> 
> any HOWTOs ?
> 
> oleg
> 
> Solopov Oleg, MIST dep., SI South Russia State Technical 
> University(NPI)
> 
> 
> 
> ____________________________________________________________________
> Get free e-mail and a permanent address at 
> http://www.amexmail.com/?A=1
> 
>

More information about the argus mailing list