ICMP Overloading Argus

Carter Bullard carter at qosient.com
Wed Aug 20 15:57:08 EDT 2003 

So you should look in /var/log/messages to see if argus
is writing anything to syslog.  You will probably want to
increase some constants in the code, but lets see if
argus was saying anything before it closed.

Carter


> -----Original Message-----
> From: Eric [mailto:eric at catastrophe.net]
> Sent: Wednesday, August 20, 2003 11:48 AM
> To: Eric
> Cc: Carter Bullard; argus-info at lists.andrew.cmu.edu
> Subject: Re: ICMP Overloading Argus
>
>
> On Wed, 2003-08-20 at 11:15:39 -0500, Eric proclaimed...
>
> > Can you let me know what you need for analysis? I'm pretty brain
> > dead taking hosts off the network right now but can get you some
> > analyses quick.
>
> I love reply to myself :-) Hi self!
>
> Peter Van Epp mentioned you would need this...
>
> (gdb) where
> #0  0x281153e3 in kill () from /usr/lib/libc.so.5
> #1  0x281801ec in abort () from /usr/lib/libc.so.5
> #2  0x2817ea7e in tcflow () from /usr/lib/libc.so.5
> #3  0x2817eaab in tcflow () from /usr/lib/libc.so.5
> #4  0x2817f6ec in free () from /usr/lib/libc.so.5
> #5  0x0805024b in ArgusCloseSocket ()
> #6  0x0804ea74 in ArgusChildExit ()
> #7  <signal handler called>
> #8  0x2817f1a2 in tcflow () from /usr/lib/libc.so.5
> #9  0x2817f284 in tcflow () from /usr/lib/libc.so.5
> #10 0x2817f602 in malloc () from /usr/lib/libc.so.5
> #11 0x2817be81 in calloc () from /usr/lib/libc.so.5
> #12 0x0805d6b2 in ArgusCalloc ()
> #13 0x08051e6f in ArgusPushFrontList ()
> #14 0x08051ebb in ArgusPushBackList ()
> #15 0x08052b8c in ArgusWriteSocket ()
> #16 0x0804f8db in ArgusHandleData ()
> #17 0x08052a75 in ArgusReadSocket ()
> #18 0x0804ecfc in ArgusOutputProcess ()
> #19 0x0804ac5d in main ()
> #20 0x0804a165 in _start ()
>
> A bit about our environment; we're running argus on FreeBSD 5.1 on
> a quad Xeon processor. We have argus sitting at our border, which
> is an OC3c. We're monitoring with a netoptics 80/20 fiber tap into
> two Intel Pro/1000 gig cards.
>
> The disks are SCSI - can't remember the speeds offhand, but I
> think they're 10k drives.
>
> Any help is appreciated. If we can do anything to make argus work
> better or test code, please lemme know.
>

More information about the argus mailing list