Random crashing with rc.40 on Linux

Peter Van Epp vanepp at sfu.ca
Wed Mar 7 11:03:10 EST 2007 

On Wed, Mar 07, 2007 at 12:22:04PM +0100, Scott A. McIntyre wrote:
> Hi,
> 
> 
> Since upgrading to rc40, my Argus seems to crash or exit regularly.  I
> built with .debug touched and the only thing that shows up in the
> daemon.logs for Linux are:
> 
> Mar  7 08:57:07  argus[24829]: 07 Mar 07 08:57:07.538966 started
> Mar  7 08:57:07  argus[24829]: 07 Mar 07 08:57:07.539359
> ArgusGetInterfaceStatus: interface eth1 is up
> Mar  7 09:20:01  argus[24829]: 07 Mar 07 09:20:01.154647 ArgusAddToQueue
> (0x83b15b4, 0x95abb50) obj in queue 0x83b15b4
> Mar  7 09:20:01  argus[24829]: 07 Mar 07 09:20:01.253027 stopped
> 
> 
> I invoked Argus with:
> 
> /usr/local/argus3/sbin/argus -d -F /usr/local/argus3/argus.conf
> 
> As I'd been doing for all previous RC's and only rc40 has shown this
> behaviour.
> 
> Argus Version 3.0.0.rc.40
> 
> Anywhere else I should go to check for signs of what's causing this exit?
> 
> Scott

        I saw it once back in January on about rc.37 and haven't seen it again 
(on Linux on PowerPC with the pf-ring code). I don't see it at all on my 
sensor that is beside my production 2.0.6 sensor on a regen tap. The sensor
that sees the area is on a collapsed backbone with VLANs and that confuses
argus and I had written it of to an artifact of that since it doesn't happen
on the sensor that is just between two routers on my border.

/var/log/messages-20070225.bz2:Jan 17 14:40:01 sniffer1 argus[3182]: 17 Jan 07 1
4:40:01.535904 ArgusAddToQueue (0x130b3dc0, 0x14e28c40) obj in queue 0x130b3dc0

so if you can reproduce it all the better!
         I expect the easiest solution is if you can run tcpdump beside the 
argus and supply Carter with a tcpdump trace that causes the problem. If thats 
not possible (for data privacy reasons for instance) then a code change to 
cause a seg fault at the error message which may be whats needed for 
performance so that there is a core when this happens (an alternative is to 
set a breakpoint in gdb at the error message and then display the backtrace
but that may cause performance problems). Then Carter can look at the back 
trace and try and figure out how the code got here (which is likely a bug).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list