Argus daemon (3.0.0, 3.0.1b2) dies after time on OpenBSD 4.x
carter at qosient.com
carter at qosient.com
Tue Dec 9 08:48:59 EST 2008
Hey Darren,
Sounds like it could be a specific packet type.
Try writing packets out to a file, and seeing if we
can catch the little bugger.
Carter
Sent from my Verizon Wireless BlackBerry
-----Original Message-----
From: "Darren Spruell" <phatbuckett at gmail.com>
Date: Tue, 9 Dec 2008 00:36:31
To: Argus<argus-info at lists.andrew.cmu.edu>
Subject: Re: [ARGUS] Argus daemon (3.0.0,
3.0.1b2) dies after time on OpenBSD 4.x
On Mon, Dec 8, 2008 at 8:12 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Darren,
> No output in /var/log/messages? Does seem odd.
I thought so too. Verified that logs are devoid of any messages from
'argus' at all. What are the default facility/priority for syslog
output? Maybe I'll have to adjust syslog.conf (Default:
http://www.openbsd.org/cgi-bin/cvsweb/src/etc/syslog.conf?rev=1.17;content-type=text%2Fplain).
> Try removing the ./.threads file, and reconfiguring and rebuilding.
> % rm .threads
> % ./configure;make clean;make
>
> And see if that doesn't help. I've noticed that on OpenBSD that the
> threads package is a bit persnickity. I have worked it a bit on
> argus-3.0.1.beta.3 and may have a change or 2 if this helps you.
No .threads file by default and none created, no libpthread linking:
$ ldd /usr/local/sbin/argus
/usr/local/sbin/argus:
Start End Type Open Ref GrpRef Name
1c000000 3c0aa000 exe 1 0 0 /usr/local/sbin/argus
06f58000 26f68000 rlib 0 1 0 /usr/lib/libpcap.so.6.0
06178000 26180000 rlib 0 1 0 /usr/lib/libm.so.3.0
08e0c000 28e42000 rlib 0 1 0 /usr/lib/libc.so.48.0
08ef9000 08ef9000 rtld 0 1 0 /usr/libexec/ld.so
Any other suggestions? I figure I'll give a shot to Peter's debug
instructions and try to capture more crash details.
Thx,
DS
> On Dec 8, 2008, at 8:07 PM, Darren Spruell wrote:
>
>> Hi,
>>
>> I have an Argus installation on an OpenBSD 4.4 sensor for which I've
>> noted the daemon running for a while (several days at a time) and then
>> dying. Typical uptimes seem to be vary between 6 and 10 days. No core
>> files are found, and I don't seem to have anything in syslog
>> indicating an error.
>>
>> I've had the same experience on both argus-3.0.0 and
>> argus-3.0.1.beta.2. Started as:
>>
>> /usr/local/sbin/argus -F /etc/argus/argus.conf
>>
>> Config file:
>>
>> ARGUS_FLOW_TYPE="Bidirectional"
>> ARGUS_FLOW_KEY="CLASSIC_5_TUPLE"
>> ARGUS_DAEMON=yes
>> ARGUS_MONITOR_ID=quagmire
>> ARGUS_ACCESS_PORT=561
>> ARGUS_BIND_IP="x.y.241.103"
>> ARGUS_INTERFACE=em1
>> ARGUS_SETUSER_ID=argus
>> ARGUS_SETGROUP_ID=argus
>> ARGUS_OUTPUT_FILE=/var/log/argus/argus-quagmire.out
>> ARGUS_SET_PID=yes
>> ARGUS_PID_PATH="/var/run/argus"
>> ARGUS_FLOW_STATUS_INTERVAL=5
>> ARGUS_MAR_STATUS_INTERVAL=60
>> ARGUS_DEBUG_LEVEL=0
>> ARGUS_GENERATE_RESPONSE_TIME_DATA=no
>> ARGUS_GENERATE_PACKET_SIZE=no
>> ARGUS_GENERATE_JITTER_DATA=no
>> ARGUS_GENERATE_MAC_DATA=no
>> ARGUS_GENERATE_APPBYTE_METRIC=no
>> ARGUS_FILTER="ip and not dst host 224.0.0.2"
>>
>> Running daemon:
>>
>> argus 28139 0.0 0.1 1636 2208 ?? Ss Sun12AM 0:56.27
>> argus -F /etc/argus/argus.conf
>>
>> Output files:
>>
>> -rw-r--r-- 1 argus argus 62199296 Dec 8 17:29
>> /var/log/argus/argus-quagmire.out
>> -rw-r--r-- 1 argus argus 6 Dec 7 00:36 /var/run/argus/argus.em1.0.pid
>>
>> OS: OpenBSD 4.4-stable (GENERIC) i386
>> em1: Intel PRO/1000MT (82546EB)
>>
>> Anything apparent going on? If not, how should I run the daemon to
>> output useful debugging data?
>>
>> --
>> Darren Spruell
>> phatbuckett at gmail.com
>>
>
>
--
Darren Spruell
phatbuckett at gmail.com
More information about the argus
mailing list