ra 3.0.3.17 timestamp bug & several bugs in ragraph

Carter Bullard carter at qosient.com
Fri Sep 10 09:30:52 EDT 2010 

Hey Maketsi,
With regard to ragraph() errors.

ragraph() is a perl front end to the program rabins().  When you get faults on input, or
any major error with ragraph(), please run ragraph() with the -debug option, in order to
get a better feel for how its breaking.

ArgusCalloc errors do happen when the amount of data being processed 
exceeds the allowable virtual memory space, or when a record is corrupted, and
claims its size is way too large. 

When you are graphing a singe metric, without objects (like saddr), you can use
the "-m srcid" option to have ragraph() aggregate its data on input.  The "srcid"
field for most, represents a small number of distinct values, so we use only a little
core memory to accumulate the statistics.  This will cause ragraph to run much
faster and use less memory.  I need to figure out how to do this automatically
in the script, as most people don't know about this feature.

When you have a argus data file that is doing weird things, having a history of how
the file was created, helps to understand how it is, or if it is, corrupted.  And most
importantly,  If you can provide the files, that will help me to debug problems.

Carter

On Sep 10, 2010, at 3:21 AM, maketsi wrote:

> There's a bug in newest ra client version 3.0.3.17. Timerange given as
> unix timestamps is parsed incorrectly when the timerange spans
> multiple days. This worked correctly in earlier version 3.0.3.7.
> 
> # ra -n -r argus.dat -t 1284062403-1284073203
> error: invalid time range startime_t 1284148803.000000 lasttime_t
> 1284073203.000000
> ra[26499]: 2010-09-10T09:29:33 time syntax error 1284062403-1284073203
> 
> # convdate.pl 1284062403
> 2010-09-09 23:00:03
> # convdate.pl 1284073203
> 2010-09-10 02:00:03
> 
> 
> Also, there are several bugs in ragraph 3.0.3.17 that wasn't there on
> 3.0.2. I haven't tested the versions between.
> 
> # ragraph pkts -M 1m -r /opt/data/argus/log/argus.dat -R
> /opt/data/archive/argus/20100909 -t -3d -w test.png -no-legend -title
> test -width 600 -height 300  - tcp
> rabins[4557]: 1284101219.488198 ArgusCalloc: malloc error Cannot allocate memory
> usage: /opt/argus/bin/ragraph metric (srcid | proto [daddr] | dport)
> [-title "title"] [ra-options]
> /opt/argus/bin/ragraph: unable to create `/tmp/filekgWEpm.rrd': start
> time: unparsable time:
> 
> # ragraph pkts -M 1m -r /opt/data/argus/log/argus.dat -w testi.png
> -no-legend -title testi -width 600 -height 300  - tcp
> sh: line 1:  4578 Segmentation fault
> /opt/argus-clients-3.0.3.17/bin/rabins -M hard zero -p6 -GL0 -s ltime
> pkts -M 1m -r /opt/data/argus/log/argus.dat - tcp >/tmp/fileJiy88v
> usage: /opt/argus/bin/ragraph metric (srcid | proto [daddr] | dport)
> [-title "title"] [ra-options]
> /opt/argus/bin/ragraph: unable to create `/tmp/fileJiy88v.rrd': start
> time: unparsable time:
> 
> # racount -r /opt/data/argus/log/argus.dat
> racount   records     total_pkts     src_pkts       dst_pkts
> total_bytes        src_bytes          dst_bytes
>    sum   462         0              0              0              0
>               0                  0
> 
> # racount -R /opt/data/archive/argus/20100909
> racount   records     total_pkts     src_pkts       dst_pkts
> total_bytes        src_bytes          dst_bytes
>    sum   38115       11747          11747          0
> 832336             832336             0
> 
> # ragraph pkts -M 5m -r argus2.dat -t -3h -w test.png -no-legend
> -title test -width 600 -height 300  - tcp and port 445
> rabins[26736]: 1284103070.646183 ArgusInsertRecord: ArgusCalloc error
> No such file or directory
> usage: /opt/argus/bin/ragraph metric (srcid | proto [daddr] | dport)
> [-title "title"] [ra-options]
> /opt/argus/bin/ragraph: unable to create `/tmp/fileWBDZHy.rrd': start
> time: unparsable time:
> 
> # ragraph pkts -M 5m -r argus2.dat  -w test.png -no-legend -title test
> -width 600 -height 300  - tcp and port 445
> /opt/argus/bin/ragraph: unable to update `/tmp/filenmt2Kq.rrd':
> illegal attempt to update using time 1284101700 when last update time
> is 1284101700 (minimum one second step)
> 
> # racount -r argus2.dat
> racount   records     total_pkts     src_pkts       dst_pkts
> total_bytes        src_bytes          dst_bytes
>    sum   136716      315709         313286         2423
> 21747340           21492415           254925
> 
> # ratimerange -r argus2.dat
> 2010-09-10T09:58:46 - 2010-09-10T10:19:46
> 
> 
> Environment:
> 
> System:  Linux 2.6.28 #1 Fri Jan 16 16:25:22 EET 2009 i686 i686 i386 GNU/Linux
> Arch:    i686
> Paths:    /opt/argus/bin/ra /usr/sbin/tcpdump /usr/bin/make
> /usr/bin/gmake /usr/bin/gcc /usr/bin/cc
> RA:      Ra Version 3.0.3.17
> TCPDUMP: tcpdump version 3.8 libpcap version 0.8.3
> 
> GCC:     Reading specs from /usr/lib/gcc/i386-redhat-linux/3.4.6/specs
> Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
> --infodir=/usr/share/info --enable-shared --enable-threads=posix
> --disable-checking --with-system-zlib --enable-__cxa_atexit
> --disable-lib$
> Thread model: posix
> gcc version 3.4.6 20060404 (Red Hat 3.4.6-10)
> 
> LIBC:
> lrwxrwxrwx  1 root root 13 Nov 18  2008 /lib/libc.so.6 -> libc-2.3.4.so
> -rwxr-xr-x  1 root root 1529720 Apr 15  2008 /lib/libc-2.3.4.so
> -rw-r--r--  1 root root 2437028 Apr 15  2008 /usr/lib/libc.a
> -rw-r--r--  1 root root 204 Apr 15  2008 /usr/lib/libc.so
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100910/857a2101/attachment.bin>

More information about the argus mailing list