gdb data for model....

Carter Bullard carter at qosient.com
Mon Apr 27 10:34:17 EDT 2009 

Hey Russell,

OK, in terms of addressing your issue where argus just stops, where we  
have the
system time bug.  It seems now that I've looked at the code, that the  
ArgusUpdateTimer,
the timer that dictates when argus() maintenance routines are going to  
be run, may
also need some help.  This timer drives such routines as garbage  
collection, queue
timeout processing, etc....  If it gets set to some bizarre value,  
things will stop
doing what they are suppose to do.

It is really a very interesting problem, because we don't know which
timestamp is wrong, and so I've set up a 3-way executive algorithm, so
that when there is a question as to what the time really is, I'll have  
packet
header time, stored system time and current system, all for comparison,
when we are reading packets off the wire.

I have put in this test and uploaded a new argus-3.0.1, and changed the
beta number to 3.  Please grab this and give it a run!!!

    ftp://qosient.com/dev/argus-3.0/argus-3.0.1.beta.3.tar.gz

Thanks for all the help!!!!

Carter


On Apr 24, 2009, at 3:35 AM, Russell Fulton wrote:

>
> On 23/04/2009, at 11:57 AM, Carter Bullard wrote:
>
>> Well, they are suppose to end up in where ever your system logs go.
>> We just call syslog() with the string and a LOG_WARNING priority.
>>
>
> Time problem seems to be fixed (well there are no errors after a  
> couple of hours running) but there is still some things wrong on the  
> OBSD box.
>
> 1/ when in daemon mode I don't get anything out to syslog at all.   
> I've checked the /etc/syslog.conf and we have an entry for  
> daemon.info. I've checked the Make file to see the ARGUS_SYSLOG is  
> set, ... <shrug> who knows!
>
> 2/ after a few hours the argus server stops writing to disk.  I now  
> have turned off daemon mode and redirecting all output to a file to  
> see if we get any errors logged there.  I know I've seen this before  
> but can't remember what the issue was.
>
>
> I have all but given up on running argus on the OBSD firewall. There  
> is a linux box which sees all the traffic so I have just installed  
> argus there.  Once I have things stable then I will investigate  
> trying to trace connections through NAT.  Roll on IP V6!
>
> [several hours later ;)  ]
>
> Argus has quit writing the output file... here is what when to  
> stdout/stderr:
>
>
>  ArgusWarning: argus[25297]: 24 Apr 09 13:48:48.754981 started
>  ArgusWarning: argus[25297]: 24 Apr 09 13:48:48.755375  
> ArgusGetInterfaceStatus: interface em1 is up
>  ArgusWarning: argus[25297]: 24 Apr 09 15:26:26.965622  
> ArgusInterface timestamps wayyy out of order: now 1240543586 then  
> 1647440201
>  ArgusWarning: argus[25297]: 24 Apr 09 15:40:24.551463  
> ArgusInterface timestamps wayyy out of order: now -1472925367 then  
> 1240544424
>  ArgusWarning: argus[25297]: 24 Apr 09 15:51:20.350149  
> ArgusNewFlow() flow key is not correct len equals zero
>  ArgusWarning: argus[25297]: 24 Apr 09 15:51:20.350226  
> ArgusNewFlow() flow key is not correct len equals zero
>  ArgusWarning: argus[25297]: 24 Apr 09 16:47:25.154733  
> ArgusInterface timestamps wayyy out of order: now 1240548444 then  
> 1548022089
>  ArgusWarning: argus[25297]: 24 Apr 09 17:54:27.934813  
> ArgusNewFlow() flow key is not correct len equals zero
>  ArgusWarning: argus[25297]: 24 Apr 09 17:54:27.941594  
> ArgusNewFlow() flow key is not correct len equals zero
>  ArgusWarning: argus[25297]: 24 Apr 09 18:49:54.916573  
> ArgusNewFlow() flow key is not correct len equals zero
>  ArgusWarning: argus[25297]: 24 Apr 09 18:49:54.922336  
> ArgusNewFlow() flow key is not correct len equals zero
>  ArgusWarning: argus[25297]: 24 Apr 09 19:13:27.658833  
> ArgusInterface timestamps wayyy out of order: now -1754861239 then  
> 1240557207
>  ArgusWarning: argus[25297]: 24 Apr 09 19:19:42.056047  
> ArgusNewFlow() flow key is not correct len equals zero
>  ArgusWarning: argus[25297]: 24 Apr 09 19:19:42.056113  
> ArgusNewFlow() flow key is not correct len equals zero
>
>
> Russell
>

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090427/14d252aa/attachment.bin>

More information about the argus mailing list