ArgusGenerateRecord: packet size type not defined
Peter Van Epp
vanepp at sfu.ca
Mon Feb 2 23:51:05 EST 2009
On Mon, Feb 02, 2009 at 01:39:44PM -0500, Michael Grinnell wrote:
> Hi,
>
> Periodically Argus dies on my test system with the error
> "ArgusGenerateRecord: packet size type not defined." The time between
> these errors varies, sometimes it's only a minute or two after argus
> starts, other times it can be > 15 minutes. I've tried running a
> simultaneous tcpdump, then running the resulting capture file through
> argus, but I can't replicate the error. I also don't see any glaring
> errors in the capture file around the time it dies. This happens with
> argus 3.0.0 and with argus 3.0.1 beta2. The system is running CentOS
> 5.2 and is listening on a dedicated interface (NC7782, bnx2 driver) to a
> span port off of a Cisco switch. I have also updated to the newest bnx2
> drivers, but it still recurs. I'm trying to scare up another NIC to try
> as well.
>
> Thoughts?
>
> --
> Michael Grinnell
> Information Security Engineer
> The American University
Setting
ARGUS_PACKET_CAPTURE_FILE="/var/log/argus/packet.out"
in an argus.rc file will capture the input packets from pcap in to the
specified file. If you can get lucky and get a failure before you run out of
disk space one of the last packets in the file should tell us what argus isn't
liking. On a busy link this file will get large fast but if it sometimes
fails quickly you may be lucky (you are also likely to see packet loss due to
the disk I/O on the sensor but hopefully the fault will still occur).
It looks like the argus record is malformed (it is complaining that it
doesn't recognize the type in argus/ArgusModeler.c at line 2904 in the
argus-3.0.1.beta.2 code). A dump of the offending packet should tell Carter
why (or if the incoming packet is corrupted which is also possible).
Peter Van Epp
More information about the argus
mailing list