argus vs tcpdumped traffic from FreeBSD tun interface

[carter at qosient.com]

Hey Mike,
Argus dumping core isn't/can't be your fault!!  If you can share the packet trace, I'll fix the problem.  You can pt the file in:
   ftp://qosient.com/incoming

Sorry for the inconvenience!!

Carter

Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: Mike Patterson <mpatters at cs.uwaterloo.ca>
Date: Mon, 09 Apr 2007 23:07:21 
To:argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] argus vs tcpdumped traffic from FreeBSD tun interface

I'm trying to run argus against some tcpdump traces I grab from my tun
device (PPPoE) on my FreeBSD gateway.  I'm reasonably certain I'm doing
things correctly, as argus operates correctly if I use tcpdump traces
captured from fxp0 (my internal network interface), but it dumps core
when I use traces from tun0.

For instance, I'm trying:
 tcpdump -i fxp0 -s0 -w /nsm/traces/fullout.lpc
(or -i tun0)

Then:
 argus -r fullout.lpc -w $ARGUSHOME/fullout.argus
which dumps core if the trace was captured from tun0.

Am I doing something stupid (this is not meant to work), missing
something (an option?), or have I found something wrong?  I'm playing
with a tunnel device at home, and I can work around it by just looking
at all network traffic instead of what goes through the tunnel, but I'd
rather just see traffic that's actually bound for or coming from
addresses external to my home network.  I get similar failure modes
using both 2.0.6 (from the FreeBSD ports tree) and 3.0 rc42 (built from
source).

I experimented on a different machine at work with a bridge instead of a
tunnel, and it seems to work just fine (although argus 3.0 seems to
choke on some tcpdump traffic that 2.0.6 is happy with, which seems to
be a separate issue).

Any comments would be appreciated.  I can share some tcpdump traces and
core files if anybody wants to see them.

Thanks,

Mike