ArgusEstablishListen: bind() error

Carter Bullard carter at qosient.com
Mon Apr 26 17:26:43 EDT 2010 

Hey Mike,
I found the bug, and have fixed it in the development thread of argus.
This version is very stable, and fixes many bugs in argus-3.0.2.
I suggest that you grab it for your testing.

   http://qosient.com/argus/dev/argus-3.0.3.7.tar.gz

You should grab accompanying argus-clients as well.

This patch will fix your argus-3.0.2 if you would like to stay with it:

thoth:argus carter$ diff -c ArgusSource.c ArgusSource.c.new
*** ArgusSource.c	Thu Oct 15 12:14:57 2009
--- ArgusSource.c.new	Mon Apr 26 17:22:55 2010
***************
*** 1433,1438 ****
--- 1433,1439 ----
     src->ArgusModel->ArgusThisEncaps  = 0;
  
     if (p) {
+       src->ArgusModel->ArgusThisIpHdr   = ip;
        src->ArgusModel->ArgusThisLength  = length;
        ArgusProcessIpPacket (src->ArgusModel, ip, length, tvp);
     }


Carter

On Apr 26, 2010, at 3:04 PM, Mike Tancsa wrote:

> At 02:49 PM 4/26/2010, Carter Bullard wrote:
>> Hey Mike,
>> Since we're using the ArgusNullPacket() routine to parse the packets, I may not
>> have a proper packet parser for the tun interface you're using.  Not a problem....
>> If you could capture some packets (> 50) in a pcap dump file, say using tcpdump.
>> I'll use it to debug.  Test that argus dies on the pcap file to make sure it
>> tickles the bug.
>> 
>>   # tcpdump -i tun0 -w test.out  ( or whatever interface your capturing from)
>>   # argus -r test.out -w argus.out
> 
> Hi,
>        I was able to recreate the condition
> 
> # argus -r killer.pcap -w test.arg
> Segmentation fault (core dumped)
> #
> 
> Thanks for looking!
> 
>        ---Mike
> 
> 
>> Carter
>> 
>> On Apr 26, 2010, at 2:43 PM, Mike Tancsa wrote:
>> 
>> > At 02:26 PM 4/26/2010, Carter Bullard wrote:
>> >> Hey Mike,
>> >> When you run independent images of argus on multiple interfaces, you need each
>> >> of them to have
>> >>   1. unique ARGUS_MONITOR_IDs,
>> >
>> > Hi,
>> >        Thanks for the quick and detailed reply!  It was the ARGUS_MONITOR_ID that I had forgot to change. That fixed it!
>> >
>> > However, I have come across a new problem. It seems that on ppp style tun interfaces on FreeBSD, argus coredumps
>> >
>> > I recompiled 3.0.2 with -g and I get the following coredump
>> >
>> > gdb argus argus.core
>> > GNU gdb 6.1.1 [FreeBSD]
>> > Copyright 2004 Free Software Foundation, Inc.
>> > GDB is free software, covered by the GNU General Public License, and you are
>> > welcome to change it and/or distribute copies of it under certain conditions.
>> > Type "show copying" to see the conditions.
>> > There is absolutely no warranty for GDB.  Type "show warranty" for details.
>> > This GDB was configured as "i386-marcel-freebsd"...
>> > Core was generated by `argus'.
>> > Program terminated with signal 11, Segmentation fault.
>> > Reading symbols from /lib/libpcap.so.5...done.
>> > Loaded symbols for /lib/libpcap.so.5
>> > Reading symbols from /usr/lib/libwrap.so.5...done.
>> > Loaded symbols for /usr/lib/libwrap.so.5
>> > Reading symbols from /lib/libm.so.5...done.
>> > Loaded symbols for /lib/libm.so.5
>> > Reading symbols from /lib/libc.so.7...done.
>> > Loaded symbols for /lib/libc.so.7
>> > Reading symbols from /libexec/ld-elf.so.1...done.
>> > Loaded symbols for /libexec/ld-elf.so.1
>> > #0  ArgusCreateIPv4Flow (model=0x28301400, ip=0x0) at ArgusModeler.c:3734
>> > 3734       unsigned char *nxtHdr = (unsigned char *)((char *)ip + (ip->ip_hl << 2));
>> > (gdb) bt full
>> > #0  ArgusCreateIPv4Flow (model=0x28301400, ip=0x0) at ArgusModeler.c:3734
>> >        nxtHdr = Variable "nxtHdr" is not available.
>> > (gdb) bt
>> > #0  ArgusCreateIPv4Flow (model=0x28301400, ip=0x0) at ArgusModeler.c:3734
>> > #1  0x080531a5 in ArgusProcessIpPacket (model=0x28301400, ip=0x283aa018, length=71, tvp=0xbfbfe524) at ArgusModeler.c:1462
>> > #2  0x08054c1e in ArgusIpPacket (user=0x2834e000 "", h=0xbfbfe5b8, p=0x283aa018 "EÀ") at ArgusSource.c:1437
>> > #3  0x08054d79 in ArgusNullPacket (user=0x2834e000 "", h=0xbfbfe60c, p=0x283aa014 "\002") at ArgusSource.c:1998
>> > #4  0x280d1b44 in pcap_open_live () from /lib/libpcap.so.5
>> > #5  0x280d1f64 in pcap_dispatch () from /lib/libpcap.so.5
>> > #6  0x08056bf5 in ArgusGetPackets (src=0x2834e000) at ArgusSource.c:2143
>> > #7  0x0804c581 in main (argc=9, argv=0xbfbfec40) at argus.c:564
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> 
>> Carter Bullard
>> CEO/President
>> QoSient, LLC
>> 150 E 57th Street Suite 12D
>> New York, New York  10022
>> 
>> +1 212 588-9133 Phone
>> +1 212 588-9134 Fax
>> 
>> 
>> 
>> 
> 
> --------------------------------------------------------------------
> Mike Tancsa,                                      tel +1 519 651 3400
> Sentex Communications,                            mike at sentex.net
> Providing Internet since 1994                    www.sentex.net
> Cambridge, Ontario Canada                         www.sentex.net/mike
> <killer.pcap.gz>



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100426/e4bb010d/attachment.bin>

More information about the argus mailing list