[ARGUS] Another Core Dump

eric eric-list-argus at catastrophe.net
Wed Apr 14 01:46:35 EDT 2004 

On Tue, 2004-04-13 at 21:28:28 -0700, Peter Van Epp proclaimed...

> 	Time for symbols :-). In the argus source directory
> 
> touch .devel
> ./configure
> make clean 
> make

Ok, I turned on .devel and .debug both....why not :)

> 	That will set the compiler -g flag and give gdb a symbol table. Then
> you can do a where from gdb in the core and it will give you routine names 
> and more importantly parameters being passed to the calls (maybe :-)) which
> may tell Carter whats happening during times of crisis. Note the removal of
> optimization with -g may slow argus down somewhat and you may lose packets
> even during normal times. I suspect you may find a port scan or scans is the
> source of the problem. A expect a port scan is going to create new flows at
> a high rate and likely cause the most strain. Does the ra data just before
> the crash show anything interesting (or the same general kinds of
> things before every crash?) that too may give a clue to whats
> going on.

Seems like the same type of data -- just some large ping sweeps,
etc.. Nothing too hostile.

Here's the debug that I've come up with. I'm running argus out of
gdb right now....

Core was generated by `argus'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libwrap.so.3...done.
Reading symbols from /usr/lib/libpcap.so.2...done.
Reading symbols from /usr/lib/libm.so.2...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  ArgusWriteSocket (asock=0x8181000, buf=0x8152598 "\001\004",
cnt=88)
    at ./ArgusUtil.c:918
918                 asock->status |= ARGUS_WAS_FUNCTIONAL;
(gdb)
#0  ArgusWriteSocket (asock=0x8181000, buf=0x8152598 "\001\004",
cnt=88)
    at ./ArgusUtil.c:918
#1  0x804f632 in ArgusHandleData (asock=0x814f000, buf=0x8152598
"\001\004",
    len=88, client=0x0) at ./ArgusOutput.c:857
#2  0x805272c in ArgusReadSocket (asock=0x814f000,
    ArgusThisHandler=0x804f5d4 <ArgusHandleData>, data=0x0)
    at ./ArgusUtil.c:847
#3  0x804ebe6 in ArgusOutputProcess () at ./ArgusOutput.c:439
#4  0x804e32b in ArgusInitOutput () at ./ArgusOutput.c:132
#5  0x804ad6f in main (argc=1, argv=0xbfbffdd4) at ./argus.c:413

(gdb) bt

#0  ArgusWriteSocket (asock=0x8181000, buf=0x8152598 "\001\004", cnt=88)
    at ./ArgusUtil.c:918
#1  0x804f632 in ArgusHandleData (asock=0x814f000, buf=0x8152598 "\001\004",
    len=88, client=0x0) at ./ArgusOutput.c:857
#2  0x805272c in ArgusReadSocket (asock=0x814f000,
    ArgusThisHandler=0x804f5d4 <ArgusHandleData>, data=0x0)
    at ./ArgusUtil.c:847
#3  0x804ebe6 in ArgusOutputProcess () at ./ArgusOutput.c:439
#4  0x804e32b in ArgusInitOutput () at ./ArgusOutput.c:132
#5  0x804ad6f in main (argc=1, argv=0xbfbffdd4) at ./argus.c:413

(gdb) frame 5
#5  0x804ad6f in main (argc=1, argv=0xbfbffdd4) at ./argus.c:413
413        ArgusInitOutput ();

(gdb) frame 4
#4  0x804e32b in ArgusInitOutput () at ./ArgusOutput.c:132
132           ArgusOutputProcess();

(gdb) frame 3
#3  0x804ebe6 in ArgusOutputProcess () at ./ArgusOutput.c:439
439                    if ((retn = ArgusReadSocket
(ArgusInputSocket, ArgusHandleData,
 NULL)) < 0) {

(gdb) frame 2
#2  0x805272c in ArgusReadSocket (asock=0x814f000,
    ArgusThisHandler=0x804f5d4 <ArgusHandleData>, data=0x0)
    at ./ArgusUtil.c:847
847                 ArgusThisHandler (asock, (unsigned char *) asock->ahdr, len, data)
;

(gdb) frame 1
#1  0x804f632 in ArgusHandleData (asock=0x814f000, buf=0x8152598 "\001\004",
857                    if ((retn = ArgusWriteSocket
(ArgusOutputTask->client[i].sock,
buf, len)) < 0) {

(gdb) frame 0
#0  ArgusWriteSocket (asock=0x8181000, buf=0x8152598 "\001\004", cnt=88)
    at ./ArgusUtil.c:918
918                 asock->status |= ARGUS_WAS_FUNCTIONAL;

More information about the argus mailing list