[ARGUS] FreeBSD 4.7 segfault.

slif at bellsouth.net slif at bellsouth.net
Fri Jun 25 10:40:07 EDT 2004 

I'm running fine with PACKET_LEN=512 on FreeBSD 5 and Linux Fedora FC2.

Carter Bullard wrote:

>Gentle people,
>   I would crank down the user data capture buffer to < 1020
>bytes. Run it at 256 and lets see if the problem doesn't go
>away, and then we'll crank it back up, but the max should be
>1020.  The user buffer TLV has an 8-bit length field, and
>we capture that many ints, so the max will be 1024.  The
>header is 4 bytes long, so you maybe tickling the edge of
>the user capture buffer.   I guess I should put in a hard
>limit on the input to this variable.
>
>   ArgusOutputCleanUp() is called only when the parent of
>the output process has died.  The parent of the output process
>is ArgusModeler(), and its doing all the dirty work.  More
>than likely its getting into trouble with the user data
>buffer length and exiting.
>
>
>Carter
>
>
>
>
>-----Original Message-----
>From: owner-argus-info at lists.andrew.cmu.edu
>[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of
>slif at bellsouth.net
>Sent: Thursday, June 24, 2004 4:52 PM
>To: argus-info at lists.andrew.cmu.edu
>Subject: Re: [ARGUS] FreeBSD 4.7 segfault.
>
>Hello, Readers.
>I'm running something similar to Scott's setup (2.0.6.fixes.1)
>except on FreeBSD 5.2.1 and on Linux Fedora Core 2.
>Both environments run anywhere from 1 to 8 hours.
>In neither case do the 'argus' instances core.
>
>I've posted a bug report as my first post, perhaps
>that was seen as rude ?
>
>Anyway,
>I've since changed the `hostname` of ARGUS_MONITOR_ID to some number.
>I'm currently running them with DEBUG_LEVEL=8 in the hope
>of catching why the programs decide to exit...
>
>Both systems basically end like this:
>argus[13187]: 24 Jun 04 10:10:45 ArgusOutputCleanup(0) returning
>argus[13188]: client(/var/log/argus/argus.out) done.
>argus[13188]: 24 Jun 04 10:10:45 ArgusShutDown(ArgusError)
>
>I'd be happy to try patches and report back results.
>
>All the Best,
>-Mike Slifcak
>
>
>Peter Van Epp wrote:
>
>>	Assuming  ARGUS_CAPTURE_DATA_LEN=1024 is capturing 1k of user data,
>>try either without it or with it set to 64. Some time back there was a bug
>>in FreeBSD (at least) where user data above something like 96 did something
>>undesirable (probably seg faulted). The fix may have fallen off and need to
>>be dug up again if this fixes it (I will have the original patch from
>
>Carter
>
>>somewhere). I've had one running since April on 4.9:
>>
>>root   22782  0.0  0.1  2832 1116  ??  S     5Apr04 580:26.19
>
>/usr/local/bin/argus_bpf -dJR -i xl1 -w /data/argus.out
>
>>but with no user data capture (eats too much disk space).
>>
>>Peter Van Epp / Operations and Technical Support
>>Simon Fraser University, Burnaby, B.C. Canada
>>
>>
>>On Thu, Jun 24, 2004 at 09:42:16PM +0200, Scott A. McIntyre wrote:
>>
>>>Hi,
>>>
>>>On FreeBSD-4.7 I can run Argus in daemon mode for about half an hour (if
>>>I'm lucky) before it segfaults:
>>>
>>>Core was generated by `argus'.
>>>Program terminated with signal 11, Segmentation fault.
>>>Reading symbols from /usr/lib/libwrap.so.3...done.
>>>Reading symbols from /usr/lib/libpcap.so.2...done.
>>>Reading symbols from /usr/lib/libm.so.2...done.
>>>Reading symbols from /usr/lib/libc.so.4...done.
>>>Reading symbols from /usr/libexec/ld-elf.so.1...done.
>>>#0  0x8053113 in ArgusRemoveHashEntry (htblhdr=0x8358900) at
>>>./ArgusUtil.c:754
>>>754     ./ArgusUtil.c: No such file or directory.
>>>(gdb) where
>>>#0  0x8053113 in ArgusRemoveHashEntry (htblhdr=0x8358900) at
>>>./ArgusUtil.c:754
>>>#1  0x8052d08 in ArgusDeleteObject (obj=0x8421600) at ./ArgusUtil.c:553
>>>#2  0x804dff9 in ArgusTimeOut (flow=0x8421600) at ./ArgusModeler.c:1732
>>>#3  0x8052b5f in ArgusProcessQueue (queue=0x8136090, status=4 '\004') at
>>>./ArgusUtil.c:461
>>>#4  0x804d96b in ArgusSystemTimeout () at ./ArgusModeler.c:1413
>>>#5  0x804c24a in ArgusProcessPacket (ep=0x806f7e0, length=1506,
>>>tvp=0x813bca4) at ./ArgusModeler.c:489
>>>#6  0x8051305 in ArgusEtherPacket (user=0x0, h=0x813bca4, p=0x813bcb6 "")
>>>at ./ArgusSource.c:483
>>>#7  0x4809fe41 in pcap_read () from /usr/lib/libpcap.so.2
>>>#8  0x8051ca1 in ArgusGetPackets () at ./ArgusSource.c:959
>>>#9  0x804ae6b in ArgusLoop () at ./argus.c:510
>>>#10 0x804ae2f in main (argc=3, argv=0xbfbffb20) at ./argus.c:439
>>>(gdb) quit
>>>
>>>This is with:
>>>
>>>Argus Version 2.0.6.fixes.1
>>>
>>>Does this look familiar?  I did a quick search but couldn't find a match
>>>with Known Issues.
>>>
>>>Argus is being invoked as:
>>>
>>>/usr/local/sbin/argus -F /usr/local/argus/etc/argus.conf
>>>
>>>Where the latter looks like:
>>>
>>>ARGUS_DAEMON=yes
>>>ARGUS_MONITOR_ID=40
>>>ARGUS_ACCESS_PORT=<some integer>
>>>ARGUS_INTERFACE=fxp1
>>>ARGUS_OUTPUT_FILE=/var/log/argus/argus_data
>>>ARGUS_SET_PID=yes
>>>ARGUS_GO_PROMISCUOUS=yes
>>>ARGUS_FLOW_STATUS_INTERVAL=5
>>>ARGUS_MAR_STATUS_INTERVAL=60
>>>ARGUS_GENERATE_RESPONSE_TIME_DATA=yes
>>>ARGUS_GENERATE_JITTER_DATA=yes
>>>ARGUS_GENERATE_MAC_DATA=no
>>>ARGUS_CAPTURE_DATA_LEN=1024
>>>ARGUS_FILTER_OPTIMIZER=yes
>>>ARGUS_FILTER="not host a.b.c.d"
>>>
>>>
>>>Thanks for suggestions...
>>>
>>>Scott
>>>
>>>
>
>
>
>
>
>

More information about the argus mailing list