Argus crash after successful compile against PF_RING
Carter Bullard
carter at qosient.com
Tue Dec 6 17:20:57 EST 2011
Hey Chris,
Sorry to hear that you're having problems !!!!!
Lets try to fix this thing before the end of the year, if you have some time,
as I'd like 3.0.6 to be solid.
What version are you running, and do you get any log output?
Carter
On Dec 6, 2011, at 4:52 PM, Chris Wakelin wrote:
> I've had this issue for quite a while, and I'm never quite sure whether to blame PF_RING or ARGUS! I've even got a script checking/restarting ARGUS every minute. I also end up with a few random dates amongst the mass when using rasplit, which may be related.
>
> Mind you, I've been getting kernel panics with PF_RING 5.2 which happen much less frequently with PF_RING 5.1.
>
> Best Wishes,
> Chris
>
> On 06/12/2011 21:46, Jesse Bowling wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi Carter,
>>
>> I'm wondering if argus is known to have any issues when it's been
>> compiled against Luca Deri's PF_RING 5.2. PF_RING includes a customized
>> libpcap library which was installed into /usr/local/lib, and referenced
>> in the argus compilation. Specifically, I recently compiled:
>>
>> Argus Version 3.0.4
>> # LIBS="-lpfring" ./configure --with-libpcap=/usr/local/lib&& make&&
>> make install
>>
>> which generated no warnings. The LIBS was passed due to an initial
>> configure failure where argus could not find the pf_ring references.
>> After running for about 40 minutes, I get the following messages and the
>> argus instance died.
>>
>> Dec 6 15:07:12 sensor argus[2125]: 06 Dec 11 15:07:12.894776 started
>> Dec 6 15:22:01 sensor argus[2125]: 06 Dec 11 15:22:01.087567
>> ArgusGetInterfaceStatus: interface p1p2 is up
>> Dec 6 15:27:08 sensor argus[2125]: 06 Dec 11 15:27:08.544859
>> ArgusInterface timestamps wayyy out of order: now 1323203228 then 17980662
>> Dec 6 15:48:27 sensor argus[2125]: 06 Dec 11 15:48:27.760350
>> ArgusInterface timestamps wayyy out of order: now 1323204507 then 70236
>> Dec 6 15:48:32 sensor argus[2125]: 06 Dec 11 15:48:32.760363
>> ArgusGenerateRecord: packet size type not defined
>>
>> I could not find any other log messages regarding the crash. On this
>> machine I do have two instances of argus running, invoked with:
>>
>> /usr/local/sbin/argus -i p1p1 -B 127.0.0.1 -P 561 -Z -d
>> /usr/local/sbin/argus -i p1p2 -B 127.0.0.1 -P 562 -Z -d
>>
>> I then collect the data with:
>>
>> rasplit -M time 5m -w /nsm/argus-split/%Y/%m/%d/%H%M_archive_primitive
>> - -S localhost:561 -S localhost:562 -d
>>
>> It appears that after the first instance crashed the other instance and
>> the rasplit continue to run, but no data is written to disk.
>>
>> The OS is:
>> Linux sensor(RHEL6) 2.6.32-131.17.1.el6.x86_64 #1 SMP Thu Sep 29
>> 10:24:25 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
>>
>> What options do I have in terms of generating more logs to troubleshoot
>> this issue?
>>
>> Thanks,
>>
>> Jesse
>
>
> --
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin, c.d.wakelin at reading.ac.uk
> IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
> Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20111206/d66609ab/attachment.bin>
More information about the argus
mailing list