Time Issue on OpenBSD 4.2 with rc.69 (Was: Re: Sparc64 OpenBSD4.1 Compile issue)

Carter Bullard carter at qosient.com
Fri Feb 8 02:57:56 EST 2008 

well, it is a puzzler from way over here.  Since you can run this thing
in gdb, the fundamental question is what is the size of a
"struct timeval" and how is it stored in the flow control block.
It is stored correctly?  Is it copied correctly and then is it packed
corrrectly when its written out.

While running argus in gdb(), break in ArgusProcessPacket() and
printout the size and contents of tvp.

Be sure and set the ARGUS_DAEMON=yes to no in the /etc/argus.conf
file, so gdb doesn't lose the focus.

    % gdb argus
    (gdb) break ArgusProcessPacket
    (gdb) run -w /tmp/test.out
     break at .........
    (gdb) print sizeof(*tvp)
    (gdb) print *tvp

It should be 8 bytes long, but on some 64bit machines this value
is 16 bytes wide.

step through the program until you get to the return(retn) statement on
line 1297, and then print out the canonical flow record for the packet
you just processed to see if the timestamps are ok.

    (gdb) break 1297
    (gdb) cont

when it break at the return(retn)
    (gdb) print flow->qhdr
    (gdb) print model->ArgusGlobalTime

that should tell us if we're doing the right thing with time in the  
modeler.

delete the breakpoints that you set and set another one
    (gdb) delete
    (gdb) list ArgusGenerateRecord

set a breakpoint at line 2522
    (gdb) break 2522
    (gdb) cont

This should break where we are copying the time into the packed
output record.
    (gdb) print *dtime

That should get us there.  If you want to step around in this routine
and check out what is actually being copied that may shed some light.
I suspect we're having problems around line 2550.


Carter


On Feb 8, 2008, at 2:24 AM, Eric Pancer wrote:

> On Fri, 2008-02-08 at 02:12:42 -0500, Carter Bullard proclaimed...
>
>> Hmmmm, regardless,  go into both the clients and server
>> ./include/argus_out.h files and change the pack(2) to a
>> pack(4).  Then "make clean; make" and see if that doesn't change
>> something in a positive way.
>
> Ok, I did this. Still nothing fixed. :(
>
> - Eric
>

More information about the argus mailing list