argus.2.0.6.fixes.1 on OBSD 3.7

Carter Bullard carter at qosient.com
Fri Aug 26 10:30:37 EDT 2005 

Hey Russell,
    I've got the modified argus_bpf running, and we'll see if it now  
breaks.
I've got a lot of memory debug support now in, and so we'll see if we've
got someone deallocating incorrectly, or if we just have a lot of memory
requirements for this probe.  You have a lot of scanning going on, and
so you have a high average flow arrival rate (>20,000 simultaneous  
flows),
but that shouldn't cause you to go over 500MB of memory.

We'll see what happens.

Carter

On Aug 26, 2005, at 8:55 AM, Carter Bullard wrote:

> Hey Russell,
>    I'm looking at it now, and basically there is no reason for it to
> die trying to allocate 128 bytes for this new flow NetworkDSRBuffer.
> Usually when you get blow ups in calloc and malloc its because you
> previously freed something that wasn't aligned or wasn't a real  
> buffer.
> This is going to be my first pass guess, so, ..., I'm going to put  
> in some
> better buffer checking, and see if we can tease out a reason for this.
>
> Still working on it.
>
> Carter
>
>
> On Aug 22, 2005, at 11:54 PM, Russell Fulton wrote:
>
>
>>
>> HI Folks,
>>     This is my first serious foray into using argus on Open BSD.   
>> First thing I tripped over was that I got the original 2.0.6  
>> distro from qosient and it would not use the -F conf.file.  I then  
>> remembered that there had been a fix version and got that from  
>> the /dev/ directory.  I've emailed Carter to say that he really  
>> should put the fixed version in /pub/ :)
>>
>> Now it keeps dying with memory problems:
>> Aug 23 13:06:29 hihi argus_bpf[27318]: started
>> Aug 23 13:30:51 hihi argus_bpf[27318]: ArgusNewFlow() ArgusCalloc  
>> error Cannot allocate memory. Aug 23 13:30:51 hihi argus_bpf 
>> [27682]: client(/home/argus/data/current) done.
>> The box has 512MB real memory and a GB of swap.  I'm running other  
>> linux sensors on this network with less memory.
>> I remember Eric and Peter mentioning kernel memory being an issue  
>> with some BSD systems but could not find the posts in the archive.
>>
>> BTW I'm using the generic kernel.
>>
>> Russell
>>
>>
>>
>
>
>

More information about the argus mailing list