ArgusEstablishListen: bind() error

Mike Tancsa mike at sentex.ca
Mon Apr 26 21:40:39 EDT 2010 

At 05:26 PM 4/26/2010, Carter Bullard wrote:
>Hey Mike,
>I found the bug, and have fixed it in the development thread of argus.
>This version is very stable, and fixes many bugs in argus-3.0.2.
>I suggest that you grab it for your testing.
>
>    http://qosient.com/argus/dev/argus-3.0.3.7.tar.gz

Thanks!  The server portion works well.  Its nice 
I can add all the interfaces in the one conf 
now.  To build on FreeBSD 7.x, I had to make one small change to the source

--- argus.c     2010-04-26 15:49:45.000000000 -0400
+++ 
/usr/ports/net-mgmt/argus3/work/argus-3.0.3.7/argus/argus.c 
2010-04-26 20:41:41.000000000 -0400
@@ -729,7 +729,7 @@

  int ArgusShutDownFlag = 0;

-#include <execinfo.h>
+/* #include <execinfo.h> */

  void
  ArgusScheduleShutDown (int sig)


The clients seem to compile just fine

         ---Mike



>You should grab accompanying argus-clients as well.
>
>This patch will fix your argus-3.0.2 if you would like to stay with it:
>
>thoth:argus carter$ diff -c ArgusSource.c ArgusSource.c.new
>*** ArgusSource.c       Thu Oct 15 12:14:57 2009
>--- ArgusSource.c.new   Mon Apr 26 17:22:55 2010
>***************
>*** 1433,1438 ****
>--- 1433,1439 ----
>      src->ArgusModel->ArgusThisEncaps  = 0;
>
>      if (p) {
>+       src->ArgusModel->ArgusThisIpHdr   = ip;
>         src->ArgusModel->ArgusThisLength  = length;
>         ArgusProcessIpPacket (src->ArgusModel, ip, length, tvp);
>      }
>
>
>Carter
>
>On Apr 26, 2010, at 3:04 PM, Mike Tancsa wrote:
>
> > At 02:49 PM 4/26/2010, Carter Bullard wrote:
> >> Hey Mike,
> >> Since we're using the ArgusNullPacket() 
> routine to parse the packets, I may not
> >> have a proper packet parser for the tun 
> interface you're using.  Not a problem....
> >> If you could capture some packets (> 50) in 
> a pcap dump file, say using tcpdump.
> >> I'll use it to debug.  Test that argus dies 
> on the pcap file to make sure it
> >> tickles the bug.
> >>
> >>   # tcpdump -i tun0 -w test.out  ( or 
> whatever interface your capturing from)
> >>   # argus -r test.out -w argus.out
> >
> > Hi,
> >        I was able to recreate the condition
> >
> > # argus -r killer.pcap -w test.arg
> > Segmentation fault (core dumped)
> > #
> >
> > Thanks for looking!
> >
> >        ---Mike
> >
> >
> >> Carter
> >>
> >> On Apr 26, 2010, at 2:43 PM, Mike Tancsa wrote:
> >>
> >> > At 02:26 PM 4/26/2010, Carter Bullard wrote:
> >> >> Hey Mike,
> >> >> When you run independent images of argus 
> on multiple interfaces, you need each
> >> >> of them to have
> >> >>   1. unique ARGUS_MONITOR_IDs,
> >> >
> >> > Hi,
> >> >        Thanks for the quick and detailed 
> reply!  It was the ARGUS_MONITOR_ID that I had forgot to change. That fixed it!
> >> >
> >> > However, I have come across a new problem. 
> It seems that on ppp style tun interfaces on FreeBSD, argus coredumps
> >> >
> >> > I recompiled 3.0.2 with -g and I get the following coredump
> >> >
> >> > gdb argus argus.core
> >> > GNU gdb 6.1.1 [FreeBSD]
> >> > Copyright 2004 Free Software Foundation, Inc.
> >> > GDB is free software, covered by the GNU 
> General Public License, and you are
> >> > welcome to change it and/or distribute 
> copies of it under certain conditions.
> >> > Type "show copying" to see the conditions.
> >> > There is absolutely no warranty for 
> GDB.  Type "show warranty" for details.
> >> > This GDB was configured as "i386-marcel-freebsd"...
> >> > Core was generated by `argus'.
> >> > Program terminated with signal 11, Segmentation fault.
> >> > Reading symbols from /lib/libpcap.so.5...done.
> >> > Loaded symbols for /lib/libpcap.so.5
> >> > Reading symbols from /usr/lib/libwrap.so.5...done.
> >> > Loaded symbols for /usr/lib/libwrap.so.5
> >> > Reading symbols from /lib/libm.so.5...done.
> >> > Loaded symbols for /lib/libm.so.5
> >> > Reading symbols from /lib/libc.so.7...done.
> >> > Loaded symbols for /lib/libc.so.7
> >> > Reading symbols from /libexec/ld-elf.so.1...done.
> >> > Loaded symbols for /libexec/ld-elf.so.1
> >> > #0  ArgusCreateIPv4Flow (model=0x28301400, 
> ip=0x0) at ArgusModeler.c:3734
> >> > 3734       unsigned char *nxtHdr = 
> (unsigned char *)((char *)ip + (ip->ip_hl << 2));
> >> > (gdb) bt full
> >> > #0  ArgusCreateIPv4Flow (model=0x28301400, 
> ip=0x0) at ArgusModeler.c:3734
> >> >        nxtHdr = Variable "nxtHdr" is not available.
> >> > (gdb) bt
> >> > #0  ArgusCreateIPv4Flow (model=0x28301400, 
> ip=0x0) at ArgusModeler.c:3734
> >> > #1  0x080531a5 in ArgusProcessIpPacket 
> (model=0x28301400, ip=0x283aa018, length=71, 
> tvp=0xbfbfe524) at ArgusModeler.c:1462
> >> > #2  0x08054c1e in ArgusIpPacket 
> (user=0x2834e000 "", h=0xbfbfe5b8, p=0x283aa018 "EÀ") at ArgusSource.c:1437
> >> > #3  0x08054d79 in ArgusNullPacket 
> (user=0x2834e000 "", h=0xbfbfe60c, p=0x283aa014 "\002") at ArgusSource.c:1998
> >> > #4  0x280d1b44 in pcap_open_live () from /lib/libpcap.so.5
> >> > #5  0x280d1f64 in pcap_dispatch () from /lib/libpcap.so.5
> >> > #6  0x08056bf5 in ArgusGetPackets (src=0x2834e000) at ArgusSource.c:2143
> >> > #7  0x0804c581 in main (argc=9, argv=0xbfbfec40) at argus.c:564
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >>
> >> Carter Bullard
> >> CEO/President
> >> QoSient, LLC
> >> 150 E 57th Street Suite 12D
> >> New York, New York  10022
> >>
> >> +1 212 588-9133 Phone
> >> +1 212 588-9134 Fax
> >>
> >>
> >>
> >>
> >
> > --------------------------------------------------------------------
> > Mike Tancsa,                                      tel +1 519 651 3400
> > Sentex Communications,                            mike at sentex.net
> > Providing Internet since 1994                    www.sentex.net
> > Cambridge, Ontario Canada                         www.sentex.net/mike
> > <killer.pcap.gz>
>
>
>
>

More information about the argus mailing list