argus-3.0.0 segfault (5/23 version)

Carter Bullard carter at qosient.com
Mon May 28 08:08:54 EDT 2007 

Hey Guys, sorry for the delayed response.
Well, the truth is that ARGUS_COLLECTOR is ignored in 3.0.0, as
we fixed quite a bit of things regarding performance.  I'm thinking
that it is coincidental, if not we've got a very interesting bug.

As soon as I get the packet file, I'll debug!!!!!!

Carter


On May 25, 2007, at 3:24 PM, Michael Hornung wrote:

> I need to sanitize the pcap before I send it on.  Will do so when
> possible.
>
> One thing I have noticed is that the problem only recurs when I  
> have the
> following set in argus.conf:
>
> ARGUS_COLLECTOR=no
>
> If I set "ARGUS_COLLECTOR=yes" the problem seems to stop.  I have been
> under the assumption that if I have argus running and not writing  
> to disk
> but only sending data to a remote radium client then I would want  
> to set
> "ARGUS_COLLECTOR=no".  But maybe that is not accurate?
>
> -Mike
>
> On Thu, 24 May 2007 at 23:22, carter at qosient.com wrote:
>
> |Hey Micheal,
> |If you can share that would be ideal!!!
> |You can use the argus write pcap file function that is turned on  
> from the argus.conf file to try to get the packet file size down.   
> It causes argus to write out the paxkets it receives, and so it  
> will stop on the packet that causes the problem!!!
> |
> |Thanks!!!
> |
> |Carter
> |
> |
> |Carter Bullard
> |QoSient LLC
> |150 E. 57th Street Suite 12D
> |New York, New York 10022
> |+1 212 588-9133 Phone
> |+1 212 588-9134 Fax
> |
> |-----Original Message-----
> |From: Michael Hornung <hornung at cac.washington.edu>
> |Date: Thu, 24 May 2007 15:13:15
> |To:argus-info at lists.andrew.cmu.edu
> |Subject: [ARGUS] argus-3.0.0 segfault (5/23 version)
> |
> |I've got argus running on a Fedora Core 6 x86 Linux box.  The  
> argus daemon
> |dies *very* regularly and so needs to be monitored.  I finally got  
> around
> |to capturing a pcap for the duration of an argus session.  Carter,  
> let me
> |know if you want this and I'll get it to you; it is 650MB  
> uncompressed.
> |Following is what I see when running argus in gdb:
> |
> |(gdb) run
> |Starting program: /usr/local/sbin/argus
> |argus[29762]: 24 May 07 14:56:36.593821 started
> |argus[29762]: 24 May 07 14:56:36.596492 ArgusGetInterfaceStatus:  
> interface
> |eth1 is up
> |argus[29762]: 24 May 07 14:56:41.031467 connect from 128.95.135.24
> |
> |Program received signal SIGSEGV, Segmentation fault.
> |0x0805a340 in ArgusCreateFlowKey (model=0x9491008, flow=0x9492290,
> |     hstruct=0x9492200) at ArgusUtil.c:785
> |785           hstruct->hash ^= *ptr++;
> |
> |(gdb) bt full
> |#0  0x0805a340 in ArgusCreateFlowKey (model=0x9491008,  
> flow=0x9492290,
> |     hstruct=0x9492200) at ArgusUtil.c:785
> |         ptr = (unsigned int *) 0xe025000
> |         key = (unsigned int *) 0x9492208
> |         retn = 0
> |         i = 19811198
> |         len = -1
> |#1  0x0804e71f in ArgusProcessPacket (model=0x9491008, p=0x949460a  
> "",
> |     length=90, tvp=0xbff0d5b8, type=0) at ArgusModeler.c:988
> |         retn = 0
> |         tflow = (struct ArgusSystemFlow *) 0x9492290
> |         flow = (struct ArgusFlowStruct *) 0x94b9d78
> |         nflow = (struct ArgusFlowStruct *) 0xc6ecbc8
> |         ptr = 0x949473c "\031"
> |         value = 0
> |#2  0x08055b61 in ArgusEtherPacket (user=0xb7e4c008 "", h=0xbff0d5b8,
> |     p=0x949460a "") at ArgusSource.c:623
> |         ep = (struct ether_header *) 0x949460a
> |         ind = 0
> |         src = (struct ArgusSourceStruct *) 0xb7e4c008
> |         tvp = (struct timeval *) 0xbff0d5b8
> |         caplen = 90
> |         length = 90
> |         statbuf = {st_dev = 0,__pad1 = 0,__st_ino = 0, st_mode = 0,
> |   st_nlink = 10354372, st_uid = 3086711688, st_gid = 0,
> |   st_rdev = 44261669504811007,__pad2 = 18120, st_size =
> |-4615955009626666608,
> |   st_blksize = 10255072, st_blocks = -5189414748145497984,  
> st_atim = {
> |     tv_sec = 1, tv_nsec = 1}, st_mtim = {tv_sec = 0, tv_nsec =  
> 134516346},
> |   st_ctim = {tv_sec = 0, tv_nsec = 134911664}, st_ino = 10354372}
> |#3  0x08066088 in pcap_read_linux ()
> |No symbol table info available.
> |#4  0x08057eeb in ArgusGetPackets (src=0xb7e4c008) at  
> ArgusSource.c:1654
> |         ArgusReadMask = {__fds_bits = {128, 0 <repeats 31 times>}}
> |         ArgusWriteMask = {__fds_bits = {0 <repeats 32 times>}}
> |         ArgusExceptMask = {__fds_bits = {0 <repeats 32 times>}}
> |         tmp = 1
> |         i = 0
> |         width = 7
> |         noerror = 1
> |         fd = 7
> |         found = 1
> |         up = 1
> |         wait = {tv_sec = 0, tv_usec = 20000}
> |#5  0x0804b333 in main (argc=1, argv=0xbff0d984) at argus.c:464
> |         commandlinew = 0
> |         doconf = 0
> |         dodebug = 0
> |         i = 1
> |         pid = 0
> |         tmparg = 0x8049f30 "[\201�214�005"
> |         filter = 0x0
> |         statbuf = {st_dev = 64768,__pad1 = 0,__st_ino = 2688645,
> |   st_mode = 33133, st_nlink = 1, st_uid = 500, st_gid = 500,  
> st_rdev = 0,
> |__pad2 = 0, st_size = 11114, st_blksize = 4096, st_blocks = 32,  
> st_atim
> |= {
> |     tv_sec = 1180043663, tv_nsec = 0}, st_mtim = {tv_sec =  
> 1180042005,
> |     tv_nsec = 0}, st_ctim = {tv_sec = 1180042005, tv_nsec = 0},
> |   st_ino = 2688645}
> |         host = (struct hostent *) 0x80a94bc
> |         commandlinei = 0
> |         op = -1
> |         path = "/etc/argus.conf\000argus", '\0' <repeats 8170 times>
> |
> |(gdb) print hstruct->hash
> |$1 = 2710700798
> |
> |So again, let me know if the pcap or anything else will be helpful.
> |
> |-Mike
> |

Carter Bullard
CEO/President
QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20070528/12fab4e8/attachment.html>

More information about the argus mailing list