[ARGUS] FreeBSD 4.7 segfault.

slif at bellsouth.net slif at bellsouth.net
Thu Jun 24 16:52:09 EDT 2004


Hello, Readers.
I'm running something similar to Scott's setup (2.0.6.fixes.1)
except on FreeBSD 5.2.1 and on Linux Fedora Core 2.
Both environments run anywhere from 1 to 8 hours.
In neither case do the 'argus' instances core.

I've posted a bug report as my first post, perhaps
that was seen as rude ?

Anyway,
I've since changed the `hostname` of ARGUS_MONITOR_ID to some number.
I'm currently running them with DEBUG_LEVEL=8 in the hope
of catching why the programs decide to exit...

Both systems basically end like this:
argus[13187]: 24 Jun 04 10:10:45 ArgusOutputCleanup(0) returning
argus[13188]: client(/var/log/argus/argus.out) done.
argus[13188]: 24 Jun 04 10:10:45 ArgusShutDown(ArgusError)

I'd be happy to try patches and report back results.

All the Best,
-Mike Slifcak


Peter Van Epp wrote:

>	Assuming  ARGUS_CAPTURE_DATA_LEN=1024 is capturing 1k of user data,
>try either without it or with it set to 64. Some time back there was a bug
>in FreeBSD (at least) where user data above something like 96 did something
>undesirable (probably seg faulted). The fix may have fallen off and need to
>be dug up again if this fixes it (I will have the original patch from Carter
>somewhere). I've had one running since April on 4.9:
>
>root   22782  0.0  0.1  2832 1116  ??  S     5Apr04 580:26.19 /usr/local/bin/argus_bpf -dJR -i xl1 -w /data/argus.out
>
>but with no user data capture (eats too much disk space).
>
>Peter Van Epp / Operations and Technical Support 
>Simon Fraser University, Burnaby, B.C. Canada
>
>
>On Thu, Jun 24, 2004 at 09:42:16PM +0200, Scott A. McIntyre wrote:
>
>>Hi,
>>
>>On FreeBSD-4.7 I can run Argus in daemon mode for about half an hour (if 
>>I'm lucky) before it segfaults:
>>
>>Core was generated by `argus'.
>>Program terminated with signal 11, Segmentation fault.
>>Reading symbols from /usr/lib/libwrap.so.3...done.
>>Reading symbols from /usr/lib/libpcap.so.2...done.
>>Reading symbols from /usr/lib/libm.so.2...done.
>>Reading symbols from /usr/lib/libc.so.4...done.
>>Reading symbols from /usr/libexec/ld-elf.so.1...done.
>>#0  0x8053113 in ArgusRemoveHashEntry (htblhdr=0x8358900) at 
>>./ArgusUtil.c:754
>>754     ./ArgusUtil.c: No such file or directory.
>>(gdb) where
>>#0  0x8053113 in ArgusRemoveHashEntry (htblhdr=0x8358900) at 
>>./ArgusUtil.c:754
>>#1  0x8052d08 in ArgusDeleteObject (obj=0x8421600) at ./ArgusUtil.c:553
>>#2  0x804dff9 in ArgusTimeOut (flow=0x8421600) at ./ArgusModeler.c:1732
>>#3  0x8052b5f in ArgusProcessQueue (queue=0x8136090, status=4 '\004') at 
>>./ArgusUtil.c:461
>>#4  0x804d96b in ArgusSystemTimeout () at ./ArgusModeler.c:1413
>>#5  0x804c24a in ArgusProcessPacket (ep=0x806f7e0, length=1506, 
>>tvp=0x813bca4) at ./ArgusModeler.c:489
>>#6  0x8051305 in ArgusEtherPacket (user=0x0, h=0x813bca4, p=0x813bcb6 "") 
>>at ./ArgusSource.c:483
>>#7  0x4809fe41 in pcap_read () from /usr/lib/libpcap.so.2
>>#8  0x8051ca1 in ArgusGetPackets () at ./ArgusSource.c:959
>>#9  0x804ae6b in ArgusLoop () at ./argus.c:510
>>#10 0x804ae2f in main (argc=3, argv=0xbfbffb20) at ./argus.c:439
>>(gdb) quit
>>
>>This is with:
>>
>>Argus Version 2.0.6.fixes.1
>>
>>Does this look familiar?  I did a quick search but couldn't find a match 
>>with Known Issues.
>>
>>Argus is being invoked as:
>>
>>/usr/local/sbin/argus -F /usr/local/argus/etc/argus.conf
>>
>>Where the latter looks like:
>>
>>ARGUS_DAEMON=yes
>>ARGUS_MONITOR_ID=40
>>ARGUS_ACCESS_PORT=<some integer>
>>ARGUS_INTERFACE=fxp1
>>ARGUS_OUTPUT_FILE=/var/log/argus/argus_data
>>ARGUS_SET_PID=yes
>>ARGUS_GO_PROMISCUOUS=yes
>>ARGUS_FLOW_STATUS_INTERVAL=5
>>ARGUS_MAR_STATUS_INTERVAL=60
>>ARGUS_GENERATE_RESPONSE_TIME_DATA=yes
>>ARGUS_GENERATE_JITTER_DATA=yes
>>ARGUS_GENERATE_MAC_DATA=no
>>ARGUS_CAPTURE_DATA_LEN=1024
>>ARGUS_FILTER_OPTIMIZER=yes
>>ARGUS_FILTER="not host a.b.c.d"
>>
>>
>>Thanks for suggestions...
>>
>>Scott
>>
>>
>





More information about the argus mailing list