Argus on Bivio 7500
Peter Van Epp
vanepp at sfu.ca
Mon Aug 10 23:08:10 EDT 2009
Well thats interesting :-), in that the while shouldn't have fallen
through. Looking at the code there are probably more things we need (it may
be easiest to step through with gdb as Carter suggested though :-)). The
variable found is interesting, if we don't find an active interface that will
cause a break that will likely end the while even though the variables are
OK. There is a break at line 2078, but that should be only the enclosing
for loop. That break (which isn't in the alternate call just below it which
may be suspicious) will bypass incrementing found and may be a bug. The
break at line 2239 if found is 0 may be the issue since I believe it will break
out of the do {} while with the terminate variables all OK (and with no
debug message) which is what you seem to be seeing. The base issue does seem
to be that your libpcap isn't returning packets as expected. Your trace doesn't
show any of the debug messages that should have shown up from a pcap error
which suggests you are finding a path that doesn't cross any of those debug
calls :-).
Peter Van Epp
On Mon, Aug 10, 2009 at 11:25:26AM -0400, Jason Carr wrote:
> argus[5874]: 10 Aug 09 11:24:04.039909 ArgusGetPackets returning:
> noerror 1 eNflag -1 ArgusShutDownStarted 0
>
> On Aug 10, 2009, at 12:42 AM, Peter Van Epp wrote:
>
>> On Sun, Aug 09, 2009 at 08:16:29PM -0400, Jason Carr wrote:
>>> Adding some debug code or running gdb and setting a breakpoint on
>>> pcap_dispatch, it doesn't seem like the pcap_dispatch code is ever
>>> executing.
>>>
>>> I'm not sure if their pcap supports selectable fd's or how to check.
>>> There's also two types of interfaces I'm dealing with, the physical
>>> interfaces and the default pseudo interface.
>>>
>>> Thanks,
>>>
>>> Jason
>>>
>>
>> It looks to me like it would be profitable to add a debug statement
>> like this after argus/ArgusSource.c line 2249:
>>
>> } while (noerror && src->eNflag != 0) && (!(ArgusShutDownStarted)));
>>
>> #ifdef ARGUSDEBUG
>> ArgusDebug(4, "ArgusGetPackets returning: noerror %d eNflag %d
>> ArgusShutDownStarted %d\n". noerror, src->eNflag,
>> ArgusShutDownStarted);
>> #endif
>>
>> That should tell us what triggered the shutdown. With the lack of any
>> pcap related error messages my guess is a timeout setting
>> ArgusShutDownStarted
>> as I think any pcap related fault should give a debug message which
>> isn't
>> present (note I assumed all the values are int without checking :-)).
>>
>> Peter Van Epp
>>
>
More information about the argus
mailing list