Argus crash after successful compile against PF_RING
Jesse Bowling
jesseb at uga.edu
Tue Dec 6 16:46:00 EST 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Carter,
I'm wondering if argus is known to have any issues when it's been
compiled against Luca Deri's PF_RING 5.2. PF_RING includes a customized
libpcap library which was installed into /usr/local/lib, and referenced
in the argus compilation. Specifically, I recently compiled:
Argus Version 3.0.4
# LIBS="-lpfring" ./configure --with-libpcap=/usr/local/lib && make &&
make install
which generated no warnings. The LIBS was passed due to an initial
configure failure where argus could not find the pf_ring references.
After running for about 40 minutes, I get the following messages and the
argus instance died.
Dec 6 15:07:12 sensor argus[2125]: 06 Dec 11 15:07:12.894776 started
Dec 6 15:22:01 sensor argus[2125]: 06 Dec 11 15:22:01.087567
ArgusGetInterfaceStatus: interface p1p2 is up
Dec 6 15:27:08 sensor argus[2125]: 06 Dec 11 15:27:08.544859
ArgusInterface timestamps wayyy out of order: now 1323203228 then 17980662
Dec 6 15:48:27 sensor argus[2125]: 06 Dec 11 15:48:27.760350
ArgusInterface timestamps wayyy out of order: now 1323204507 then 70236
Dec 6 15:48:32 sensor argus[2125]: 06 Dec 11 15:48:32.760363
ArgusGenerateRecord: packet size type not defined
I could not find any other log messages regarding the crash. On this
machine I do have two instances of argus running, invoked with:
/usr/local/sbin/argus -i p1p1 -B 127.0.0.1 -P 561 -Z -d
/usr/local/sbin/argus -i p1p2 -B 127.0.0.1 -P 562 -Z -d
I then collect the data with:
rasplit -M time 5m -w /nsm/argus-split/%Y/%m/%d/%H%M_archive_primitive
- -S localhost:561 -S localhost:562 -d
It appears that after the first instance crashed the other instance and
the rasplit continue to run, but no data is written to disk.
The OS is:
Linux sensor(RHEL6) 2.6.32-131.17.1.el6.x86_64 #1 SMP Thu Sep 29
10:24:25 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
What options do I have in terms of generating more logs to troubleshoot
this issue?
Thanks,
Jesse
- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7ejRgACgkQ5E4CHL/YJ2rHPQCgiDUhm6ZrR1B3p2N9IPVYzPA2
sYYAoMEy2b6fxkPwYJI8U1sODFtU4E2g
=DpvV
-----END PGP SIGNATURE-----
More information about the argus
mailing list