racluster rc.42 problems
Michael Sanderson
sanders at cs.ubc.ca
Thu Apr 5 03:18:22 EDT 2007
I have argus 2.0.6-fixes.1 + ... running on OpenBSD 4.0-stable and have a
collector running on OpenSuSE running 3.0.0 rc 42 compiled with gcc 4.1.0.
Configure was run as ./configure --prefix=/usr/local . I'm under the impression
that collecting with 3.0.0 from a 2.0.6 argus should work fine. Carter, please
correct me if I am wrong.
Collection has been stable and working fine. I do post collection processing of
the data to give me TopN type stats, along the lines of what Carter posted
recently with racluster | rasort | ra. I have run into some racluster issues.
First - a seg fault. The command that sees the segfault is racluster -M rmon
-m saddr -r ... -w ... . Attached is sample data (segfault.dat) that causes
the fault. Seg fault was at common/argus_client.c:9535, but the fix looks to be
common/argus_client.c:9505
switch (type = f1->hdr.argus_dsrvl8.qual & 0x07)
Changing to
switch ((type = f1->hdr.argus_dsrvl8.qual) & 0x07)
appears to fix the bug. The output seems right, but I haven't dug into it in
detail to ensure that there aren't minor discrepancies.
Second - things seem to go wrong after getting rtcp data. Attached is sample
data (rtcp-argus.dat) that causes this problem.
Apologies for the line wraps.
ra -r rtcp-data.argus
StartTime Flgs Proto SrcAddr Sport Dir DstAddr
Dport TotPkts TotBytes State
07/04/02 23:55:06 tcp 154.20.43.121.cloant ->
142.103.6.67.imaps 10 1081 CON
07/04/02 23:55:42 s tcp 142.103.6.47.60730 ->
61.137.93.90.smtp 3 222 REQ
07/04/02 23:55:50 rtcp 62.236.60.53.6881 ->
198.162.54.169.34307 1 105 INT
racluster -M rmon -m saddr -r rtcp-data.argus -w - | ra -r -
StartTime Flgs Proto SrcAddr Sport Dir DstAddr
Dport TotPkts TotBytes State
07/04/02 23:55:42 ip 61.137.93.90 <-
0.0.0.0 3 222 RSP
07/04/02 23:55:50 ip 62.236.60.53 ->
0.0.0.0 1 105 INT
We should see data for the IP addresses above 62.236.60.53 here, but it isn't
there. If I recall correctly, on large input files, I see small, truncated
output files from racluster as soon as I hit a record for rtcp.
racluster -M rmon -m saddr -r rtcp-data.argus -w - - not rtcp | ra -r -
StartTime Flgs Proto SrcAddr Sport Dir DstAddr
Dport TotPkts TotBytes State
07/04/02 23:55:42 ip 61.137.93.90 <-
0.0.0.0 3 222 RSP
07/04/02 23:55:42 ip 142.103.6.47 ->
0.0.0.0 3 222 INT
07/04/02 23:55:06 ip 142.103.6.67 <->
0.0.0.0 10 1081 CON
07/04/02 23:55:06 ip 154.20.43.121 <->
0.0.0.0 10 1081 CON
Ignoring rtcp records gives me complete output for non-rtcp records.
I am currently working around this issue by using the 'not rtcp' filter on my
racluster command lines. I haven't looked for a fix for this one.
--
Michael Sanderson sanders at cs.ubc.ca
Computing Facilities Manager (Acting) 604 822 6194
UBC Computer Science http://www.cs.ubc.ca/~sanders/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: segfault.dat
Type: video/mpeg
Size: 1424 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070405/2fbb2fe5/attachment.m1v>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rtcp-argus.dat
Type: video/mpeg
Size: 612 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070405/2fbb2fe5/attachment-0001.m1v>
More information about the argus
mailing list