Argus crash after successful compile against PF_RING
Chris Wakelin
c.d.wakelin at reading.ac.uk
Tue Dec 6 16:52:55 EST 2011
I've had this issue for quite a while, and I'm never quite sure whether
to blame PF_RING or ARGUS! I've even got a script checking/restarting
ARGUS every minute. I also end up with a few random dates amongst the
mass when using rasplit, which may be related.
Mind you, I've been getting kernel panics with PF_RING 5.2 which happen
much less frequently with PF_RING 5.1.
Best Wishes,
Chris
On 06/12/2011 21:46, Jesse Bowling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Carter,
>
> I'm wondering if argus is known to have any issues when it's been
> compiled against Luca Deri's PF_RING 5.2. PF_RING includes a customized
> libpcap library which was installed into /usr/local/lib, and referenced
> in the argus compilation. Specifically, I recently compiled:
>
> Argus Version 3.0.4
> # LIBS="-lpfring" ./configure --with-libpcap=/usr/local/lib&& make&&
> make install
>
> which generated no warnings. The LIBS was passed due to an initial
> configure failure where argus could not find the pf_ring references.
> After running for about 40 minutes, I get the following messages and the
> argus instance died.
>
> Dec 6 15:07:12 sensor argus[2125]: 06 Dec 11 15:07:12.894776 started
> Dec 6 15:22:01 sensor argus[2125]: 06 Dec 11 15:22:01.087567
> ArgusGetInterfaceStatus: interface p1p2 is up
> Dec 6 15:27:08 sensor argus[2125]: 06 Dec 11 15:27:08.544859
> ArgusInterface timestamps wayyy out of order: now 1323203228 then 17980662
> Dec 6 15:48:27 sensor argus[2125]: 06 Dec 11 15:48:27.760350
> ArgusInterface timestamps wayyy out of order: now 1323204507 then 70236
> Dec 6 15:48:32 sensor argus[2125]: 06 Dec 11 15:48:32.760363
> ArgusGenerateRecord: packet size type not defined
>
> I could not find any other log messages regarding the crash. On this
> machine I do have two instances of argus running, invoked with:
>
> /usr/local/sbin/argus -i p1p1 -B 127.0.0.1 -P 561 -Z -d
> /usr/local/sbin/argus -i p1p2 -B 127.0.0.1 -P 562 -Z -d
>
> I then collect the data with:
>
> rasplit -M time 5m -w /nsm/argus-split/%Y/%m/%d/%H%M_archive_primitive
> - -S localhost:561 -S localhost:562 -d
>
> It appears that after the first instance crashed the other instance and
> the rasplit continue to run, but no data is written to disk.
>
> The OS is:
> Linux sensor(RHEL6) 2.6.32-131.17.1.el6.x86_64 #1 SMP Thu Sep 29
> 10:24:25 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
>
> What options do I have in terms of generating more logs to troubleshoot
> this issue?
>
> Thanks,
>
> Jesse
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
More information about the argus
mailing list