[ARGUS] FreeBSD 4.7 segfault.

Carter Bullard carter at qosient.com
Thu Jun 24 19:36:29 EDT 2004 

Gentle people,
   I would crank down the user data capture buffer to < 1020
bytes. Run it at 256 and lets see if the problem doesn't go
away, and then we'll crank it back up, but the max should be
1020.  The user buffer TLV has an 8-bit length field, and
we capture that many ints, so the max will be 1024.  The
header is 4 bytes long, so you maybe tickling the edge of
the user capture buffer.   I guess I should put in a hard
limit on the input to this variable.

   ArgusOutputCleanUp() is called only when the parent of
the output process has died.  The parent of the output process
is ArgusModeler(), and its doing all the dirty work.  More
than likely its getting into trouble with the user data
buffer length and exiting.


Carter




-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
slif at bellsouth.net
Sent: Thursday, June 24, 2004 4:52 PM
To: argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] FreeBSD 4.7 segfault.

Hello, Readers.
I'm running something similar to Scott's setup (2.0.6.fixes.1)
except on FreeBSD 5.2.1 and on Linux Fedora Core 2.
Both environments run anywhere from 1 to 8 hours.
In neither case do the 'argus' instances core.

I've posted a bug report as my first post, perhaps
that was seen as rude ?

Anyway,
I've since changed the `hostname` of ARGUS_MONITOR_ID to some number.
I'm currently running them with DEBUG_LEVEL=8 in the hope
of catching why the programs decide to exit...

Both systems basically end like this:
argus[13187]: 24 Jun 04 10:10:45 ArgusOutputCleanup(0) returning
argus[13188]: client(/var/log/argus/argus.out) done.
argus[13188]: 24 Jun 04 10:10:45 ArgusShutDown(ArgusError)

I'd be happy to try patches and report back results.

All the Best,
-Mike Slifcak


Peter Van Epp wrote:

>	Assuming  ARGUS_CAPTURE_DATA_LEN=1024 is capturing 1k of user data,
>try either without it or with it set to 64. Some time back there was a bug
>in FreeBSD (at least) where user data above something like 96 did something
>undesirable (probably seg faulted). The fix may have fallen off and need to
>be dug up again if this fixes it (I will have the original patch from
Carter
>somewhere). I've had one running since April on 4.9:
>
>root   22782  0.0  0.1  2832 1116  ??  S     5Apr04 580:26.19
/usr/local/bin/argus_bpf -dJR -i xl1 -w /data/argus.out
>
>but with no user data capture (eats too much disk space).
>
>Peter Van Epp / Operations and Technical Support
>Simon Fraser University, Burnaby, B.C. Canada
>
>
>On Thu, Jun 24, 2004 at 09:42:16PM +0200, Scott A. McIntyre wrote:
>
>>Hi,
>>
>>On FreeBSD-4.7 I can run Argus in daemon mode for about half an hour (if
>>I'm lucky) before it segfaults:
>>
>>Core was generated by `argus'.
>>Program terminated with signal 11, Segmentation fault.
>>Reading symbols from /usr/lib/libwrap.so.3...done.
>>Reading symbols from /usr/lib/libpcap.so.2...done.
>>Reading symbols from /usr/lib/libm.so.2...done.
>>Reading symbols from /usr/lib/libc.so.4...done.
>>Reading symbols from /usr/libexec/ld-elf.so.1...done.
>>#0  0x8053113 in ArgusRemoveHashEntry (htblhdr=0x8358900) at
>>./ArgusUtil.c:754
>>754     ./ArgusUtil.c: No such file or directory.
>>(gdb) where
>>#0  0x8053113 in ArgusRemoveHashEntry (htblhdr=0x8358900) at
>>./ArgusUtil.c:754
>>#1  0x8052d08 in ArgusDeleteObject (obj=0x8421600) at ./ArgusUtil.c:553
>>#2  0x804dff9 in ArgusTimeOut (flow=0x8421600) at ./ArgusModeler.c:1732
>>#3  0x8052b5f in ArgusProcessQueue (queue=0x8136090, status=4 '\004') at
>>./ArgusUtil.c:461
>>#4  0x804d96b in ArgusSystemTimeout () at ./ArgusModeler.c:1413
>>#5  0x804c24a in ArgusProcessPacket (ep=0x806f7e0, length=1506,
>>tvp=0x813bca4) at ./ArgusModeler.c:489
>>#6  0x8051305 in ArgusEtherPacket (user=0x0, h=0x813bca4, p=0x813bcb6 "")
>>at ./ArgusSource.c:483
>>#7  0x4809fe41 in pcap_read () from /usr/lib/libpcap.so.2
>>#8  0x8051ca1 in ArgusGetPackets () at ./ArgusSource.c:959
>>#9  0x804ae6b in ArgusLoop () at ./argus.c:510
>>#10 0x804ae2f in main (argc=3, argv=0xbfbffb20) at ./argus.c:439
>>(gdb) quit
>>
>>This is with:
>>
>>Argus Version 2.0.6.fixes.1
>>
>>Does this look familiar?  I did a quick search but couldn't find a match
>>with Known Issues.
>>
>>Argus is being invoked as:
>>
>>/usr/local/sbin/argus -F /usr/local/argus/etc/argus.conf
>>
>>Where the latter looks like:
>>
>>ARGUS_DAEMON=yes
>>ARGUS_MONITOR_ID=40
>>ARGUS_ACCESS_PORT=<some integer>
>>ARGUS_INTERFACE=fxp1
>>ARGUS_OUTPUT_FILE=/var/log/argus/argus_data
>>ARGUS_SET_PID=yes
>>ARGUS_GO_PROMISCUOUS=yes
>>ARGUS_FLOW_STATUS_INTERVAL=5
>>ARGUS_MAR_STATUS_INTERVAL=60
>>ARGUS_GENERATE_RESPONSE_TIME_DATA=yes
>>ARGUS_GENERATE_JITTER_DATA=yes
>>ARGUS_GENERATE_MAC_DATA=no
>>ARGUS_CAPTURE_DATA_LEN=1024
>>ARGUS_FILTER_OPTIMIZER=yes
>>ARGUS_FILTER="not host a.b.c.d"
>>
>>
>>Thanks for suggestions...
>>
>>Scott
>>
>>
>

More information about the argus mailing list