segfault at 000000000311c000 rip 000000000040fb46rsp 0000007fbffff830 error 4
Carter Bullard
carter at qosient.com
Sat May 30 10:03:19 EDT 2009
It is easy to cast memory to any structure type in gdb() so you
don't really need to do this, but it may be convenient.
While a single packet may cause argus() to corrupt memory,
you may not generate the coredump until hundreds more packets
have been processed, so looking for the last packet will
probably not reveal the problem.
You should try using the ARGUS_PACKET_CAPTURE_FILE
feature in /etc/argus.conf file. I think Peter suggested this.
This will cause argus to write all the packets it will process into a
file.
You can have a simple program that renames the file, say every
hour, and you can usually delete all but the last file if you are
worried about memory use. Argus will recreate it and continue to
capture.
Running argus against this file, with the "-M rtime" option, to
preserve the timings when playing back, will usually reveal the
bug.
Carter
On May 30, 2009, at 6:37 AM, Gunnar Lindberg wrote:
> Great, thanks. First thing monday.
>
> Then, it's quite infrequent. Less than once a week by now. Which is
> partly why my 0.0c is for strange packet data (I do part time IRT
> work and expect packets with every illegal combination of flag bits).
>
> I have another idea to possibly catch the current/last packet, if
> we encounter similar crashes again (most/all packets will pass via
> ArgusGetPackets() so that should hold at most times). My plan is
> to move these declarations to the beginning of ArgusGetPackets(),
> i.e. have gdb be able to print the last packet data. Of course the
> buffer could also be damaged, but maybe enough is left to deduce
> what it was.
>
> Is there any reason not to do this (there seems to be two occurences
> of these and I wll simply comment them both)?
>
> 2126 /* libpcap workaround */
> 2127 struct pcap_pkthdr *header;
> 2128 const u_char *pkt_data;
>
> Gunnar Lindberg
>
>> From carter at qosient.com Fri May 29 17:03:44 2009
>> Cc: argus-info at lists.andrew.cmu.edu
>> Message-Id: <40529AC8-3FFC-456A-892F-F9184A488D85 at qosient.com>
>> From: Carter Bullard <carter at qosient.com>
>> To: Gunnar Lindberg <Gunnar.Lindberg at chalmers.se>
>> In-Reply-To: <200905291313.n4TDDIsO007386 at grunert.cdg.chalmers.se>
>> Subject: Re: [ARGUS] segfault at 000000000311c000 rip
>> 000000000040fb46rsp 0000007fbffff830 error 4
>> Date: Fri, 29 May 2009 11:03:28 -0400
>> References: <200905291313.n4TDDIsO007386 at grunert.cdg.chalmers.se>
>
>> Hey Gunnar,
>> Your problems are so fundamental, crash here, there, everywhere,
>> all with memory corruption, that it seems clear that you do not
>> have a standard problem (how could anyone use this software
>> with these kinds of issues). Some 64-bit machines do weird things,
>> so..........
>
>> Apply this patch and completely rebuild the argus distribution:
>
>> *** argus_out.h Wed Feb 25 01:22:20 2009
>> --- argus_out.h.new Fri May 29 11:00:31 2009
>> ***************
>> *** 47,60 ****
>> ...
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090530/82027d95/attachment.bin>
More information about the argus
mailing list