Argus crash after successful compile against PF_RING

Carter Bullard carter at qosient.com
Thu Dec 8 19:40:55 EST 2011


Hey Chris,
Because I haven't generally announced argus-3.0.5.7, when I need to make
very insignificant changes, I don't bump the version number up until the next
day or so, so you may need to grab the latest code refresh, unless you wait
until tomorrow, and argus-3.0.5.8 will arrive.

I found a big bug in the psize calculation, but I'd hold off enabling that again,
until I give the all clear.

Good to hear things are better.  I'm still working the timestamp issue for 
rasplit().  Could you send the 1970's files my way, if possible?

Hope all is most excellent,
Carter

On Dec 8, 2011, at 7:25 PM, Chris Wakelin wrote:

> I've run 3.0.5.7/3.0.5.26 for a day and it didn't crash at all, but did
> flag some wrong timestamps. I had the two new variables turned on and it
> created an empty pcap file for the captured errors, however it stayed
> empty. (I've just noticed it was still owned by root, so probably ARGUS
> couldn't write to it after it dropped privileges! I've 'chown'ed it
> appropriately now.)
> 
> I ended up with one or two stray rasplit flows in 1970/01/01, but on the
> whole it seems rather better!
> 
> Best Wishes,
> Chris
> 
> On 07/12/2011 14:53, Carter Bullard wrote:
>> Hey Jesse,
>> This sounds like a PF_RING timestamp problem.  Argus believes the
>> timestamps it gets from the packet engine so much, that it sets its
>> concept of time based on those timestamps.  This allows reading packets
>> from files to work the same as from live interfaces. If the packet capture
>> layer screws up the time, argus will be seriously affected.
>> 
>> If we get packets in the future, argus can apparently "stop" its record output.
>> We end up with a flow in the status output queue with a queue time in the
>> future, and when the record finds its way to the end of the queue, argus
>> will have to wait for (timestamp + flow_status_time) before taking it off the
>> queue.
>> 
>> OK,   I put in packet rejection based on a time range (+/- 30 seconds) when
>> reading packets from a live interface, and I've added dumping the error
>> packets to a dump file.  Turn this on using both of the argus.conf file variables:
>> 
>> #ARGUS_PACKET_CAPTURE_FILE="/path/to/filename.pcap"
>> #ARGUS_PACKET_CAPTURE_ON_ERROR="yes"
>> 
>> This should help confirm what the nature of the problem is, and help
>> point the finger at whatever module is in error.
>> 
>> Do turn on both variables, if you don't turn on the ON_ERROR variable, all
>> your packets will go in the file.
>> 
>> I've uploaded argus-3.0.5.7.tar.gz to the developers server.  Grab it at:
>>   http://qosient.com/argus/dev/argus-3.0.5.7.tar.gz
>> 
>> Carter
> -- 
> --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
> Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
> IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
> Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20111208/1a65cce0/attachment.bin>


More information about the argus mailing list