Argus server exits with "maximum errors exceeded 200000"

Guy Dickinson guy.dickinson at nyu.edu
Tue Nov 24 11:32:49 EST 2009 

Peter Van Epp wrote:
> 
> 	Looks like the socket errors may be a red herring. They seem to happen
> during shutdown (which could mean the socket has been closed when something
> thinks it should write, which may be a bug but probably not whats biting us 
> right now :-)), but something previous has caused the input stream to return 
> and cause an argus shutdown:
> 
> 
> argus[1265]: 22 Nov 09 01:22:21.797208 main() ArgusGetPackets returned:
> shuting down
>  
> we need to figure out why that happened (usually a libpcap error of some kind).
> Does /var/log/messages have anything interesting in it around this time? If
> I'm remembering the correct thread you are on a Ninja with RHEL so thats where
> syslog should be going by default. There hopefully is a syslog message of the
> form "ArgusGetInterfaceStatus: something bad happened" in syslog to point us
> to what is unhappy. 
> 	There was a similar problem a few months ago on a Bivio and at that 
> time I found a case where argus would silently close the pcap interface (and 
> then shut down due to no interface :-)) when it got an error and suggested we 
> needed to add a syslog message in that case for the next time this happened 
> :-).  A quick look at the code (argus/ArgusSource.c in ArgusGetInterfaceStatus)
> indicates the code has changed substantially and so may need a closer look to 
> see if a similar silent path exists if there isn't anything in syslog.
> 
> Peter Van Epp
> 

While argus is running, I continually see messages like this one:

argus[14706]: 20 Nov 09 12:19:30.312082 setArgusInterfaceStatus(1)

After a few seconds of running, after a client connects, they occur
several hundred at a time.
Unfortunately, there's no "GetArgusInterfaceStatus" message.

I happen to have the same traffic that I'm monitoring with my DAG device
plugged into a regular, boring kernel ethernet interface. If I use that
as my capture device, those messages go away.

There appears to be some code in ArgusCode.c within
ArgusGetInterfaceStatus() which handles dag devices specifically,
starting on line 2444 (in version 3.0.2:

   2444    if (strstr(device->name, "dag")  || strstr(device->name,
"default"))         {
   2445       for (i = 0; i < src->ArgusInterfaces; i++) {
   2446          if (src->ArgusInterface[i].ArgusPd &&
(pcap_fileno(src->ArgusInterface[i].ArgusPd) > 0))
   2447             bzero ((char *)&src->ArgusInterface[i].ifr,
sizeof(ifr));
   2448
   2449          src->ArgusInterface[i].ifr.ifr_flags |= IFF_UP;
   2450          setArgusInterfaceStatus(src, 1);
   2451       }

I admit to being unfamiliar with the Argus source at this depth but it
seems like it may be a relevant passage of code.

I'm happy to turn debugging up on any other parts of the code that might
be relevant but may need pointers as to where to look.

Thanks again,
Guy

-- 
------------------
Guy Dickinson, Network Security Analyst
NYU ITS Technology Security Services
guy.dickinson at nyu.edu
(212) 998-3052

More information about the argus mailing list