ICMP Overloading Argus

[Eric]

On Wed, 2003-08-20 at 11:15:39 -0500, Eric proclaimed...

> Can you let me know what you need for analysis? I'm pretty brain
> dead taking hosts off the network right now but can get you some
> analyses quick.

I love reply to myself :-) Hi self!

Peter Van Epp mentioned you would need this...

(gdb) where
#0  0x281153e3 in kill () from /usr/lib/libc.so.5
#1  0x281801ec in abort () from /usr/lib/libc.so.5
#2  0x2817ea7e in tcflow () from /usr/lib/libc.so.5
#3  0x2817eaab in tcflow () from /usr/lib/libc.so.5
#4  0x2817f6ec in free () from /usr/lib/libc.so.5
#5  0x0805024b in ArgusCloseSocket ()
#6  0x0804ea74 in ArgusChildExit ()
#7  <signal handler called>
#8  0x2817f1a2 in tcflow () from /usr/lib/libc.so.5
#9  0x2817f284 in tcflow () from /usr/lib/libc.so.5
#10 0x2817f602 in malloc () from /usr/lib/libc.so.5
#11 0x2817be81 in calloc () from /usr/lib/libc.so.5
#12 0x0805d6b2 in ArgusCalloc ()
#13 0x08051e6f in ArgusPushFrontList ()
#14 0x08051ebb in ArgusPushBackList ()
#15 0x08052b8c in ArgusWriteSocket ()
#16 0x0804f8db in ArgusHandleData ()
#17 0x08052a75 in ArgusReadSocket ()
#18 0x0804ecfc in ArgusOutputProcess ()
#19 0x0804ac5d in main ()
#20 0x0804a165 in _start ()

A bit about our environment; we're running argus on FreeBSD 5.1 on
a quad Xeon processor. We have argus sitting at our border, which
is an OC3c. We're monitoring with a netoptics 80/20 fiber tap into
two Intel Pro/1000 gig cards. 

The disks are SCSI - can't remember the speeds offhand, but I
think they're 10k drives.

Any help is appreciated. If we can do anything to make argus work
better or test code, please lemme know.