Out of Memory Reading pcap file with Argus 3.0.5.11 (and 3.0.5.10)

Dave Edelman dedelman at iname.com
Sat Mar 10 14:31:06 EST 2012 

I frequently use argus to read a pcap file and write it so that I can run
the argus clients on the flows. It looks like somewhere between 3.0.3.16 and
3.0.5.10 something changed in a way that consumes enough memory that I can
no longer do this with one of my typical 200 MB pcap files. The same thing
happens on 3.0.5.11 and I don't have any of the intervening versions to
figure out where it actually started. The problem occurs on all eight of my
reference pcap files (they are all 200MB depending on how you count MB)

 

The problem is related to the size of the pcap file and I'm still
experimenting to determine at what size this triggers. I can provide the
pcap file if that helps.

 

--Dave

 

ls -l data0.pcap

-rw-r--r-- 1 root root 200000047 2012-03-10 18:43 data0.pcap

ls -lh data0.pcap

-rw-r--r-- 1 root root 191M 2012-03-10 18:43 data0.pcap

 

/layered_products/argus-3.0.3.16/bin/argus -X -U 1024 -r data0.pcap  -w
argusmnew.argus

/layered_products/argus-3.0.5.11/bin/argus -X -U 1024 -r data0.pcap  -w
argusmnew.argus

out of memory [28413]

^C^C^C^Z

[1]+  Stopped                 /layered_products/argus-3.0.5.11/bin/argus -X
-U 1024 -r data0.pcap -w argusmnew.argus

kill -9 %1

 

System:  Linux snmsdev5 2.6.27.24-170.2.68.fc10.i686.PAE #1 SMP Wed May 20
22:58:30 EDT 2009 i686 i686 i386 GNU/Linux

Arch:    i686

 

Paths:    /usr/local/sbin/argus /usr/local/bin/ra /usr/bin/make
/usr/bin/gmake /usr/lib/ccache/gcc /usr/lib/ccache/cc

 

ARGUS:   Argus Version 3.0.5.11

RA:      Ra Version 3.0.5.35

 

 

GCC:     Using built-in specs.

Target: i386-redhat-linux

Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla
--enable-bootstrap --enable-shared --enable-threads=posix --enable-

checking=release --with-system-zlib --enable-__cxa_atexit
--disable-libunwind-exceptions
--enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk
--disable-dssi --enable-plugin --with-java-ho

me=/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre --enable-libgcj-multifile
--enable-java-maintainer-mode --with-ecj-jar=/usr/share/java/eclipse-ecj.jar
--disable-libjava-multilib --with-cpu=generic --build=i386-redhat

-linux

Thread model: posix

gcc version 4.3.2 20081105 (Red Hat 4.3.2-7) (GCC)

 

LIBC:

lrwxrwxrwx 1 root root 11 2009-06-23 13:30 /lib/libc.so.6 -> libc-2.9.so

-rwxr-xr-x 1 root root 1809672 2008-12-08 13:33 /lib/libc-2.9.so

-rw-r--r-- 1 root root 3199504 2008-12-08 13:16 /usr/lib/libc.a

-rw-r--r-- 1 root root 238 2008-12-08 13:00 /usr/lib/libc.so

 

 

libpcap.so.0.9.8

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120310/a5e6e690/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6547 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120310/a5e6e690/attachment.bin>

More information about the argus mailing list