argus-3.0.0 segfault (5/23 version)
carter at qosient.com
carter at qosient.com
Thu May 24 19:22:45 EDT 2007
Hey Micheal,
If you can share that would be ideal!!!
You can use the argus write pcap file function that is turned on from the argus.conf file to try to get the packet file size down. It causes argus to write out the paxkets it receives, and so it will stop on the packet that causes the problem!!!
Thanks!!!
Carter
Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-----Original Message-----
From: Michael Hornung <hornung at cac.washington.edu>
Date: Thu, 24 May 2007 15:13:15
To:argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] argus-3.0.0 segfault (5/23 version)
I've got argus running on a Fedora Core 6 x86 Linux box. The argus daemon
dies *very* regularly and so needs to be monitored. I finally got around
to capturing a pcap for the duration of an argus session. Carter, let me
know if you want this and I'll get it to you; it is 650MB uncompressed.
Following is what I see when running argus in gdb:
(gdb) run
Starting program: /usr/local/sbin/argus
argus[29762]: 24 May 07 14:56:36.593821 started
argus[29762]: 24 May 07 14:56:36.596492 ArgusGetInterfaceStatus: interface
eth1 is up
argus[29762]: 24 May 07 14:56:41.031467 connect from 128.95.135.24
Program received signal SIGSEGV, Segmentation fault.
0x0805a340 in ArgusCreateFlowKey (model=0x9491008, flow=0x9492290,
hstruct=0x9492200) at ArgusUtil.c:785
785 hstruct->hash ^= *ptr++;
(gdb) bt full
#0 0x0805a340 in ArgusCreateFlowKey (model=0x9491008, flow=0x9492290,
hstruct=0x9492200) at ArgusUtil.c:785
ptr = (unsigned int *) 0xe025000
key = (unsigned int *) 0x9492208
retn = 0
i = 19811198
len = -1
#1 0x0804e71f in ArgusProcessPacket (model=0x9491008, p=0x949460a "",
length=90, tvp=0xbff0d5b8, type=0) at ArgusModeler.c:988
retn = 0
tflow = (struct ArgusSystemFlow *) 0x9492290
flow = (struct ArgusFlowStruct *) 0x94b9d78
nflow = (struct ArgusFlowStruct *) 0xc6ecbc8
ptr = 0x949473c "\031"
value = 0
#2 0x08055b61 in ArgusEtherPacket (user=0xb7e4c008 "", h=0xbff0d5b8,
p=0x949460a "") at ArgusSource.c:623
ep = (struct ether_header *) 0x949460a
ind = 0
src = (struct ArgusSourceStruct *) 0xb7e4c008
tvp = (struct timeval *) 0xbff0d5b8
caplen = 90
length = 90
statbuf = {st_dev = 0,__pad1 = 0,__st_ino = 0, st_mode = 0,
st_nlink = 10354372, st_uid = 3086711688, st_gid = 0,
st_rdev = 44261669504811007,__pad2 = 18120, st_size =
-4615955009626666608,
st_blksize = 10255072, st_blocks = -5189414748145497984, st_atim = {
tv_sec = 1, tv_nsec = 1}, st_mtim = {tv_sec = 0, tv_nsec = 134516346},
st_ctim = {tv_sec = 0, tv_nsec = 134911664}, st_ino = 10354372}
#3 0x08066088 in pcap_read_linux ()
No symbol table info available.
#4 0x08057eeb in ArgusGetPackets (src=0xb7e4c008) at ArgusSource.c:1654
ArgusReadMask = {__fds_bits = {128, 0 <repeats 31 times>}}
ArgusWriteMask = {__fds_bits = {0 <repeats 32 times>}}
ArgusExceptMask = {__fds_bits = {0 <repeats 32 times>}}
tmp = 1
i = 0
width = 7
noerror = 1
fd = 7
found = 1
up = 1
wait = {tv_sec = 0, tv_usec = 20000}
#5 0x0804b333 in main (argc=1, argv=0xbff0d984) at argus.c:464
commandlinew = 0
doconf = 0
dodebug = 0
i = 1
pid = 0
tmparg = 0x8049f30 "[\201�214�005"
filter = 0x0
statbuf = {st_dev = 64768,__pad1 = 0,__st_ino = 2688645,
st_mode = 33133, st_nlink = 1, st_uid = 500, st_gid = 500, st_rdev = 0,
__pad2 = 0, st_size = 11114, st_blksize = 4096, st_blocks = 32, st_atim
= {
tv_sec = 1180043663, tv_nsec = 0}, st_mtim = {tv_sec = 1180042005,
tv_nsec = 0}, st_ctim = {tv_sec = 1180042005, tv_nsec = 0},
st_ino = 2688645}
host = (struct hostent *) 0x80a94bc
commandlinei = 0
op = -1
path = "/etc/argus.conf\000argus", '\0' <repeats 8170 times>
(gdb) print hstruct->hash
$1 = 2710700798
So again, let me know if the pcap or anything else will be helpful.
-Mike
More information about the argus
mailing list