something killed argus....

Carter Bullard carter at qosient.com
Mon Nov 19 08:00:23 EST 2001 

Hey Russell,
   If all three died at the same time then there is a
high likelihood that it's a packet parsing bug.  The
record that was output is definitely messed up, but
that is a head scratcher as to how a packet parsing error
would result in a corrupt output record.

Did the 1.8.x argi also output corrupt records?  Any
core files?

Was there a lot of load going on?  Do you suspect that
there could be non-IP traffic on the wire?  Is there any
IPv6 traffic on your monitored links?  Possibly a poorly
formed ICMP packet?

Just some random thoughts,

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Russell Fulton
> Sent: Sunday, November 18, 2001 9:16 PM
> To: argus-info at lists.andrew.cmu.edu
> Subject: something killed argus....
> 
> 
> Hi All,
> 	Early Sunday morning (local time) something nasty happened on 
> our DMZ which killed of all three of my argus processes (two 
> 1.8.x and 
> one 2.0.3). 
> 
> Here is the last record that the argus 2 server logged:
> 
>    <ArgusRecord ArgusSourceId = "130.216.4.207" 
> SequenceNumber = "275349679"
>       Cause = "Status"
>       StartTime = "U1006002487" StartTimeusecs = "109678"
>        LastTime = "U572214639"  LastTimeusecs = "1595010053"
>        Duration = "-433787848.1594900375" >
>       <Far TransRefNum = "223208229">
>          <Flow> <IP SrcIPAddr = "221.95.223.94" DstIPAddr = 
> "160.186.69.52"
>                     Proto = "idpr-cmtp" Sport = "48185" Dport 
> = "52005" /> 
>           </Flow>
>          <FlowAttrs SrcTTL = "210" DstTTL = "9" SrcTOS = "0xe4" 
> 		    DstTOS = "0xed" />
>          <Metrics SrcCount = "-1905790438" DstCount = "-1523318114" 
>                   SrcBytes = "-602963239" DstBytes = "168149263"  
>                   SrcAppBytes = "2043903996" DstAppBytes = 
> "66380956" />
>       </Far>
>    </ArgusRecord>
> 
> Hmmm... one thing that occurs to me is that this just 
> represents garbage 
> that got written on the end of the output file when argus 
> crashed, rather than a real record.  ra crashed with a seg 
> fault after printing this 
> record.
> 
> Any other ideas?
> 
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
> 
> 
>

More information about the argus mailing list