Argus crash after successful compile against PF_RING

Carter Bullard carter at qosient.com
Tue Dec 6 17:19:13 EST 2011 

Hey Jesse,
I am not aware of an PF_RING problems and the timestamp issues is somewhat new.
Can you try out argus-3.0.5.6 for a while to see if any problems go away?  This version
has a number of known bug fixes, and may solve some of your problems.   It has been
stable for quite some time, and I am about to release it as stable in a few weeks.

Also try the newer argus-clients-3.0.5.25, which will fix a number of rasplit() problems.

The timestamp problem is curious, but we have had this type of problem before, with
various packet sources.  We are testing if the packets are in the future, not if they are
way in the past, so our last packet timestamp is getting set to a bad value on a
previous packet, and then when the next packet with a decent timestamp arrives, it
trips the error.   It is generally a sign of buffer overrun, rather than bad clocks.

One of your errors is a "unknown" packet type.  If the timestamp error is a corrupted
packet buffer, then the packet is probably corrupted as well, so these maybe the
same problem.

What level of performance are we talking about ?  If you are trying to go very fast, there
are a number of things we'll can do to troubleshoot.  If you are not going that fast, then
I'll set the test on the bad timestamp to be in both directions, and argus has a 
"dump packet on error" function, which we'll use to see what the packet actually
looks like.

Ive been working on the rasplit() generating poor timestamps, so I'm working that one.
Lets try these new versions, and if they have issues, I'll work on fixing them this week !!!!

Carter

On Dec 6, 2011, at 4:46 PM, Jesse Bowling wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Carter,
> 
> I'm wondering if argus is known to have any issues when it's been
> compiled against Luca Deri's PF_RING 5.2.  PF_RING includes a customized
> libpcap library which was installed into /usr/local/lib, and referenced
> in the argus compilation.  Specifically, I recently compiled:
> 
> Argus Version 3.0.4
> # LIBS="-lpfring" ./configure --with-libpcap=/usr/local/lib && make &&
> make install
> 
> which generated no warnings.  The LIBS was passed due to an initial
> configure failure where argus could not find the pf_ring references.
> After running for about 40 minutes, I get the following messages and the
> argus instance died.
> 
> Dec  6 15:07:12 sensor argus[2125]: 06 Dec 11 15:07:12.894776 started
> Dec  6 15:22:01 sensor argus[2125]: 06 Dec 11 15:22:01.087567
> ArgusGetInterfaceStatus: interface p1p2 is up
> Dec  6 15:27:08 sensor argus[2125]: 06 Dec 11 15:27:08.544859
> ArgusInterface timestamps wayyy out of order: now 1323203228 then 17980662
> Dec  6 15:48:27 sensor argus[2125]: 06 Dec 11 15:48:27.760350
> ArgusInterface timestamps wayyy out of order: now 1323204507 then 70236
> Dec  6 15:48:32 sensor argus[2125]: 06 Dec 11 15:48:32.760363
> ArgusGenerateRecord: packet size type not defined
> 
> I could not find any other log messages regarding the crash.  On this
> machine I do have two instances of argus running, invoked with:
> 
> /usr/local/sbin/argus -i p1p1 -B 127.0.0.1 -P 561 -Z -d
> /usr/local/sbin/argus -i p1p2 -B 127.0.0.1 -P 562 -Z -d
> 
> I then collect the data with:
> 
> rasplit -M time 5m -w /nsm/argus-split/%Y/%m/%d/%H%M_archive_primitive
> - -S localhost:561 -S localhost:562 -d
> 
> It appears that after the first instance crashed the other instance and
> the rasplit continue to run, but no data is written to disk.
> 
> The OS is:
> Linux sensor(RHEL6) 2.6.32-131.17.1.el6.x86_64 #1 SMP Thu Sep 29
> 10:24:25 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
> 
> What options do I have in terms of generating more logs to troubleshoot
> this issue?
> 
> Thanks,
> 
> Jesse
> - -- 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk7ejRgACgkQ5E4CHL/YJ2rHPQCgiDUhm6ZrR1B3p2N9IPVYzPA2
> sYYAoMEy2b6fxkPwYJI8U1sODFtU4E2g
> =DpvV
> -----END PGP SIGNATURE-----
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20111206/a6201e3e/attachment.bin>

More information about the argus mailing list