Argus crash after successful compile against PF_RING
Chris Wakelin
c.d.wakelin at reading.ac.uk
Thu Dec 8 19:25:12 EST 2011
I've run 3.0.5.7/3.0.5.26 for a day and it didn't crash at all, but did
flag some wrong timestamps. I had the two new variables turned on and it
created an empty pcap file for the captured errors, however it stayed
empty. (I've just noticed it was still owned by root, so probably ARGUS
couldn't write to it after it dropped privileges! I've 'chown'ed it
appropriately now.)
I ended up with one or two stray rasplit flows in 1970/01/01, but on the
whole it seems rather better!
Best Wishes,
Chris
On 07/12/2011 14:53, Carter Bullard wrote:
> Hey Jesse,
> This sounds like a PF_RING timestamp problem. Argus believes the
> timestamps it gets from the packet engine so much, that it sets its
> concept of time based on those timestamps. This allows reading packets
> from files to work the same as from live interfaces. If the packet capture
> layer screws up the time, argus will be seriously affected.
>
> If we get packets in the future, argus can apparently "stop" its record output.
> We end up with a flow in the status output queue with a queue time in the
> future, and when the record finds its way to the end of the queue, argus
> will have to wait for (timestamp + flow_status_time) before taking it off the
> queue.
>
> OK, I put in packet rejection based on a time range (+/- 30 seconds) when
> reading packets from a live interface, and I've added dumping the error
> packets to a dump file. Turn this on using both of the argus.conf file variables:
>
> #ARGUS_PACKET_CAPTURE_FILE="/path/to/filename.pcap"
> #ARGUS_PACKET_CAPTURE_ON_ERROR="yes"
>
> This should help confirm what the nature of the problem is, and help
> point the finger at whatever module is in error.
>
> Do turn on both variables, if you don't turn on the ON_ERROR variable, all
> your packets will go in the file.
>
> I've uploaded argus-3.0.5.7.tar.gz to the developers server. Grab it at:
> http://qosient.com/argus/dev/argus-3.0.5.7.tar.gz
>
> Carter
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
More information about the argus
mailing list