argus-clients-3.0.0.rc.3: rabins coredumps

Fri Jun 9 03:26:12 EDT 2006

Ok, I have tested argus-clients-3.0.0.rc.4 and the following "rabins"  
command works fine:

[...]
rabins -M time 5m soft zero -r /data2/argus/argus.out
[...]

Altough "racount -a ..." still gives the same problems.

Regards,

Robin

Quoting Carter Bullard <carter at qosient.com>:

> Hey Robin,
> Ok, so we need some ground rules on these bug reports.
>
> For command line errors, the only way to know what the issue
> could be, is to see exactly how the command was called.  So,
> I need the exact command line that you used to understand
> if its driver error or a bug, especially when its saying 'syntax
> error' :o)
>
> I removed so much code from the original clients, that there
> will be problems, just hope there aren't a billion of them.
>
> So a segfault at the end, here is a patch that works.
>
> *** argus_client.c.orig 2006-06-08 11:52:11.000000000 -0400
> --- argus_client.c      2006-06-08 11:52:29.000000000 -0400
> ***************
> *** 805,817 ****
>      struct ArgusRecordStruct *retn = NULL;
>      unsigned int status = 0;
>
> -    parser->ArgusReverse = 0;
> -
>      if (argus == NULL) {
>         if (parser == NULL) {
>            retn = &ArgusGenerateRecordStructBuf;
>            bzero ((char *)retn, sizeof(*retn));
>         } else {
>            retn = &parser->argus;
>         }
>
> --- 805,816 ----
>      struct ArgusRecordStruct *retn = NULL;
>      unsigned int status = 0;
>
>      if (argus == NULL) {
>         if (parser == NULL) {
>            retn = &ArgusGenerateRecordStructBuf;
>            bzero ((char *)retn, sizeof(*retn));
>         } else {
> +          parser->ArgusReverse = 0;
>            retn = &parser->argus;
>         }
>
> Carter
>
>
> On Jun 8, 2006, at 11:01 AM, Robin Gruyters wrote:
>
>> Quoting Carter Bullard <carter at qosient.com>:
>>
>>> Ok, when debugging clients, if they blow up, its generally input
>>> specific.   So, at some time in debugging clients we probably will
>>> need some subset of data to chase it down.
>>>
>>> But before we get there, because the clients share so much
>>> code, the first thing to do in chasing down a client
>>> bug is to see if other ra* programs also have the same problem.
>>>
>>> But, before that, we have to make sure that the client is being
>>> run correctly, and your rabins() example maybe a problem with
>>> parameters.  You aren't running rabins with any description of
>>> how to "bin" the data.   I know this is a line out of ragraph,pl,
>>> but ragraph adds a few more parameters.
>>>
>>> Is this argus-2.0 data?
>>>
>> No, this is from argus 3.0.0.rc.3. I'm testing it first on our   
>> development server. (which has no history of Argus use)
>>
>>> Try   ' rabins -M time 5m soft zero -r /data2/argus/argus.out'
>>> to see if you get any output.
>>>
>> Well, I get data, but at the end I get a "segfault".
>>
>>> If that has problems, then we need to make sure that its rabins
>>> specific.  racount() is the program I use for testing this.
>>> Its good because it doesn't do anything to the input records,
>>> other than parse them.
>>>
>>> So,...., the second step should be, can racount() read the file?
>>>
>> When I run racount() without '-a' or '-c' option, it works fine,   
>> but when trying to run it with either option I get the following   
>> error:
>>
>> [...]
>> racount[57412]: 16:59:36.034059  argus.out filter syntax error
>> racount   records     total_pkts     src_pkts       dst_pkts         
>> total_bytes        src_bytes          dst_bytes
>>    sum   0           0              0              0              0  
>>                  0                  0
>> [...]
>>
>>
>> Regards,
>>
>> Robin
>>
>>> If, yes, then can ra() parse and print each record, so, the 3rd
>>> step would be to try  ' ra -r /data2/argus/argus.out > test.out',
>>> then with the specific parameters, etc.....
>>>
>>> If you have problems with all these strategies, then its to the
>>> debugger.
>>>
>>> Carter
>>>
>>>
>>>
>>>
>>> On Jun 8, 2006, at 5:14 AM, Robin Gruyters wrote:
>>>
>>>> Hello,
>>>>
>>>> When I try to execute the following command, it coredumps on me... :(
>>>>
>>>> [...]
>>>> $ sudo rabins -M soft zero -p6 -GL0 -s lasttime -r    
>>>> /data2/argus/argus.out -w /tmp/ragraph.out
>>>> Floating point exception (core dumped)
>>>> [...]
>>>>
>>>> I'm running Argus (3.0.0.rc.3) on FreeBSD 5.4-RELEASE-p11.
>>>>
>>>> Regards,
>>>>
>>>> Robin Gruyters
>>>> Network and Security Engineer
>>>> Yirdis B.V.
>>>> I: http://yirdis.com
>>>> P: +31 (0)36 5300394
>>>> F: +31 (0)36 5489119
>>>>
>>
>>