Latest clients look to have broken archive file movement
Peter Van Epp
vanepp at sfu.ca
Mon Jun 25 17:45:10 EDT 2007
I'm seeing some interesting (for some value of interesting :-( )
instability in the argus sensor with the latest code from the server. Some
of it looks to be client related on the rc.44 and .45 clients, but I think
some if also argus related (but it may also be pf-ring on Linux related).
I have a sensor on an IBM Power5 64 bit machine running Suse 10.2
Linux and the pf-ring libpcap code. In the last while (with rc.44 and .45
it has become unstable and sometimes crashes. As part of debugging that I
have been connecting to clients (using ra) to the same sensor. That seems to
make it really unstable. Starting the second client often results in this:
vanepp at hcids:/var/log/argus.logs> *** glibc detected *** argus: double free or corruption (!prev): 0x00000000119129e0 ***
======= Backtrace: =========
/lib64/power5+/libc.so.6[0x4000026c164]
/lib64/power5+/libc.so.6(cfree-0xe3dc0)[0x4000026de28]
argus[0x1002bf48]
argus[0x1001d05c]
argus[0x10021304]
argus[0x1000a48c]
argus[0x100157a4]
/usr/local/lib/libpcap.so.0[0x4000007c5f0]
/usr/local/lib/libpcap.so.0(pcap_dispatch-0x338f8)[0x4000007cad8]
argus[0x100189e4]
argus[0x10005888]
/lib64/power5+/libc.so.6[0x4000021068c]
/lib64/power5+/libc.so.6(__libc_start_main-0x13c3d0)[0x40000210928]
What I would be interested in is if someone else can reproduce this on
a non pf-ring machine (i.e. openBSD or FreeBSD). It looks like you need to
have about 100 megabits sustained of traffic to trip it (I have two links and
the slower one has never died so far). Its also possible its the mix of clients
in use. The first one is a 64 bit PowerPC Mac running MacOS 10 and the second
client to connect (and cause the fault above) is FreeBSD on a 32 bit Intel
platform. To add to the fun setting -D greater than 3 on the argus sensor also
seems to fix the problem (at least I haven't been able to make that die yet).
Up til a couple of weeks ago this setup had been up without trouble
(at least on the sensor end, clients have died occasionally) for a couple
of weeks straight. I may have to dig up an earlier version of argus-3.0.0 to
see if that helps any as well.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list