Endance DAG 8.1 and Argus problem

Leif Tishendorf ltishend at gmail.com
Fri Feb 18 12:27:20 EST 2011 

Carter,

 > Sorry, you need to run without the DAEMON mode on.  Also add a -D1 
just to verify that there is some activity.
 > So try:
 >
 >     run -D1 -d

Ah, ok, did that and here's the output now

----
Reading symbols from /root/argus-3.0.3.22/bin/argus...done.
(gdb) run -D1 -d
Starting program: /root/argus-3.0.3.22/bin/argus -D1 -d
[Thread debugging using libthread_db enabled]
argus[26368.00d7fef7ff7f0000]: 18 Feb 11 09:19:44.777281 
ArgusNewModeler() returning 0x671010
argus[26368.00d7fef7ff7f0000]: 18 Feb 11 09:19:44.777427 
ArgusNewOutput() returning retn 0x671d20
argus[26368.00d7fef7ff7f0000]: 18 Feb 11 09:19:44.782451 
setArgusID(0x7ffff690f040, 0xac16057b) done
argus[26368.00d7fef7ff7f0000]: 18 Feb 11 09:19:44.782472 
setArgusID(0x7ffff690f040, 0xac16057b) done
argus[26368.00d7fef7ff7f0000]: 18 Feb 11 09:19:44.782478 
setArgusID(0x7ffff690f040, 0xac16057b) done
argus[26368.00d7fef7ff7f0000]: 18 Feb 11 09:19:44.782503 
ArgusParseResourceFile: ArgusBindAddr "(null)"
argus[26368.00d7fef7ff7f0000]: 18 Feb 11 09:19:46.990235 
ArgusParseResourceFile (/etc/argus.conf) returning
argus[26368.00d7fef7ff7f0000]: 18 Feb 11 09:19:46.990277 
setArgusInterfaceStatus(0x7ffff690f010, 1)
argus[26368.00d7fef7ff7f0000]: 18 Feb 11 09:19:46.991267 
ArgusEstablishListen(0x671d20, 0x7fffffffd090) binding: 172.22.5.123:568 
family: 2
[New Thread 0x7ffff5f61700 (LWP 26405)]
argus[26368.00d7fef7ff7f0000]: 18 Feb 11 09:19:46.992196 
ArgusInitOutput() done
argus[26368]: 18 Feb 11 09:19:46.992222 started
argus[26368.0017f6f5ff7f0000]: 18 Feb 11 09:19:46.992246 
ArgusOutputProcess(0x671d20) starting
argus[26368.00d7fef7ff7f0000]: 18 Feb 11 09:19:46.994594 
ArgusOpenInterface(0x7ffff5356010, 'dag0:36') returning 0
argus[26368.00d7fef7ff7f0000]: 18 Feb 11 09:19:46.994606 
ArgusInitSource: no packet sources for this device.
argus[26368.00d7fef7ff7f0000]: 18 Feb 11 09:19:46.994611 
ArgusInitSource(0x7ffff5356010) returning 0
argus[26368.00d7fef7ff7f0000]: 18 Feb 11 09:19:47.994704 main() 
ArgusSourceProcess returned: shuting down

argus[26368.00d7fef7ff7f0000]: 18 Feb 11 09:19:47.994747 
ArgusShutDown(Normal Shutdown)

argus[26368.00d7fef7ff7f0000]: 18 Feb 11 09:19:47.994756 
ArgusCloseSource(0x7ffff690f010) starting
argus[26368.00d7fef7ff7f0000]: 18 Feb 11 09:19:47.994775 
ArgusCloseEvents() done
argus[26368.00d7fef7ff7f0000]: 18 Feb 11 09:19:47.994783 
ArgusCloseOutput(0x671d20) scheduling closure after 0 records
argus[26368.0017f6f5ff7f0000]: 18 Feb 11 09:19:48.093424 
ArgusOutputProcess(0x671d20) exiting
argus[26368.00d7fef7ff7f0000]: 18 Feb 11 09:19:48.100631 
ArgusCloseOutput(0x671d20) done
[Thread 0x7ffff5f61700 (LWP 26405) exited]
argus[26368.00d7fef7ff7f0000]: 18 Feb 11 09:19:48.100705 ArgusShutDown()

Program exited normally.
----

Thanks,

--Leif

On 02/18/2011 06:31 AM, Carter Bullard wrote:
> Hey Leif,
> Sorry, you need to run without the DAEMON mode on.  Also add a -D1 just to verify that there is some activity.
> So try:
>
>     run -D1 -d
>
> Carter
>
>
> On Feb 17, 2011, at 4:32 PM, Leif Tishendorf wrote:
>
>> Carter,
>>
>> Here is the output from gdb:
>>
>> ----
>> Starting program: /root/argus-3.0.3.22/bin/argus -F ../support/Config/argus.conf
>> [Thread debugging using libthread_db enabled]
>> [New Thread 0x7ffff5f61700 (LWP 25329)]
>> argus[25294]: 17 Feb 11 10:50:06.455798 started
>> [Thread 0x7ffff5f61700 (LWP 25329) exited]
>>
>> Program exited normally.
>> ----
>>
>> Though I've never run anything through gdb before so that's just a straight run command.  If there is more you'd like me to do just let me know.
>>
>> Also, in the debug output I was wondering about the line:
>>
>> ----
>> argus[13042.00172305347f0000]: 16 Feb 11 11:59:48.506743 ArgusOpenInterface(0x7f3402599010, 'dag0:62') returning 0
>> ----
>>
>> Is Argus not finding the dag interface?
>>
>> --Leif
>>
>>
>> On 02/17/2011 04:17 AM, Carter Bullard wrote:
>>> Hey Leif,
>>> I suspect that your packet source thread is crashing, and the rest of the argus is doing it's thing.  Run argus under gdb to see if tells you more about the problem.
>>>
>>> To compile with symbols, create the development tag and reconfigure and remake:
>>>     % touch .devel
>>>     % ./configure
>>>     % make clean
>>>     % make
>>>     % gdb ./bin/argus
>>>
>>> Be sure to run without daemon mode.
>>> Carter
>>>
>>>
>>> On Feb 15, 2011, at 5:21 PM, Leif Tishendorf<ltishend at gmail.com>   wrote:
>>>
>>>> Carter,
>>>>
>>>> I should probably start a different thread for this but it's the same system as the 3.0.3.22 issue and didn't want to clutter things up too much.  I just recently installed 3.0.2 on this same box, and originally I thought it was functioning normally. However, after more testing I've noticed there are a couple issues and was wondering if you had any suggestions.
>>>>
>>>> 1.  I have 6 load balanced streams to break up the traffic on a Dag 8.1 card and an argus process on each.  Over time the argus processes will exit without error.
>>>>
>>>> 2.  Time stamps over time get exteremely skewed (like it starts out puting year ranges from 1912 to 2057).  This seems to be worse with higher load.  Currently each process is running at about 20% CPU or less (8 core, 16 hyper-threaded).  I have Snort, nTop and tcpdump running on other streams and they don't experience the time skew issue.
>>>>
>>>> Ideally I'd rather be using the 3.0.3.22(3.0.4 when it's released) to take advantage of it's multiple interface handling and multi-core support and not do over much trouble shooting on an older code base. Anything I can test/try, information I can provide I'd be happy to do so.
>>>>
>>>> Thanks,
>>>>
>>>> --Leif
>>>>
>>>> On 02/14/2011 12:31 PM, Carter Bullard wrote:
>>>>> Hey Leif,
>>>>> It could be a bug.  Argus has run on many versions of the dag, but I don't test
>>>>> each dev release against dag's as I don't have access any longer.
>>>>>
>>>>> The easiest test is to make sure tcpdump gets packets from that interface.  If
>>>>> so, then running argus with the "-D debugLevel" option will give us some detail
>>>>> printing on what is happening.
>>>>>
>>>>> Try with "-D 6" to start, and if that doesn't help, increase to get more info, and don't run
>>>>> in daemon mode.
>>>>>
>>>>> Be sure and put the "-D 6" as the first option, so you get debug printing for parsing the
>>>>> command line options, etc......
>>>>>
>>>>> To compile debug support into argus, in the argus distribution directory:
>>>>>     % touch .debug
>>>>>     % ./configure
>>>>>     % make clean
>>>>>     % make
>>>>>
>>>>> Carter
>>>>>
>>>>> On Feb 14, 2011, at 3:15 PM, Leif Tishendorf wrote:
>>>>>
>>>>>> Hello all,
>>>>>>
>>>>>> I'm running an Endance Dag 8.1 card and I'm having difficulty getting Argus to work with it.  I've compiled Argus 3.0.3.22 against the Dag enabled libpcap files and Argus will run if I set it to eth0, which is the management interface, but if I set it to a dag stream, e.g. ARGUS_INTERFACE=dag0:8, the daemon says it starts, and prints to syslog that it starts, but it doesn't actually start.
>>>>>>
>>>>>> I was wondering if anyone may have had a similar issue and be able to offer some pointers.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> --Leif
>>>>>>
>>>>>
>>>>
>>>> --
>>>> --Leif
>>>>
>>
>> --
>> --Leif
>>
>

-- 
--Leif

More information about the argus mailing list