argus-clients-3.0.7.1 with full netflow v.9 support

Torbjorn Wictorin Torbjorn.Wictorin at its.uu.se
Tue Sep 4 02:14:50 EDT 2012 

hello Carter,

I do not know how to anonymize the netflow data so that I can send it. 
ANyway, I have debugged a bit:

(gdb) r -n -S cisco://130.238.96.10:9969
Starting program: /usr/local/src/argus/argus-clients-3.0.7.1/bin/ra -c 100 
-n -S cisco://130.238.96.10:9969
[Thread debugging using libthread_db enabled]
*** glibc detected *** ra: double free or corruption (!prev): 0x0000000000b57200 ***


(gdb) where
#0  0x00007ffff71c31b5 in raise () from /lib/libc.so.6
#1  0x00007ffff71c5fc0 in abort () from /lib/libc.so.6
#2  0x00007ffff71f937b in ?? () from /lib/libc.so.6
#3  0x00007ffff7202bd6 in ?? () from /lib/libc.so.6
#4  0x00007ffff720794c in free () from /lib/libc.so.6
#5  0x000000000043ffe4 in ArgusFree (buf=0xb57200) at ./argus_util.c:20116
#6  0x000000000048af03 in ArgusParseCiscoRecordV9Template 
(parser=0x7ffff7ea5010, tqueue=0xb536d0, ptr=0xb53d38 "", len=988) at 
./argus_import.c:1624
#7  0x000000000048b1ce in ArgusParseCiscoRecordV9 (parser=0x7ffff7ea5010, 
input=0x7ffff7e43010, ptr=0x7fffffffe3b0, count=0x7fffffffe3d0) at 
./argus_import.c:1703
#8  0x000000000048d7d1 in ArgusReadCiscoDatagramSocket 
(parser=0x7ffff7ea5010, input=0x7ffff7e43010) at ./argus_import.c:3057
#9  0x000000000045acd1 in ArgusReadStream (parser=0x7ffff7ea5010, 
queue=0xb531e0) at ./argus_client.c:882
#10 0x0000000000406877 in main (argc=6, argv=0x7fffffffe728) at 
./argus_main.c:359


#5  0x000000000043ffe4 in ArgusFree (buf=0xb57200) at ./argus_util.c:20116
20116         free (ptr);
(gdb) print ptr
$1 = (void *) 0xb57200



Then I tried without threads:


(gdb)  r -n -S cisco://130.238.96.10:9969
Starting program: /usr/local/src/argus/argus-clients-3.0.7.1/bin/ra -n -S 
cisco://130.238.96.10:9969
ra[27621]: 2012-09-04.07:59:41.121110 Binding 130.238.96.10:9969 Expecting 
Netflow records

Program received signal SIGSEGV, Segmentation fault.
0x00000000004361dc in ArgusPopQueue (queue=0xb614a0, type=1) at 
./argus_util.c:15353
15353                     queue->start = obj->nxt;


15351               if (queue->count) {
15352                  if (queue->start == obj)
15353                     queue->start = obj->nxt;
15354


(gdb) print *obj
Cannot access memory at address 0xff7fe2f640b0

(gdb) where
#0  0x00000000004361dc in ArgusPopQueue (queue=0xb614a0, type=1) at 
./argus_util.c:15353
#1  0x000000000048f00c in ArgusParseCiscoRecordV9Template 
(parser=0x7ffff7ea5040, tqueue=0xb614a0, ptr=0xb5df58 "\001", len=988) at 
./argus_import.c:1592
#2  0x000000000048f587 in ArgusParseCiscoRecordV9 (parser=0x7ffff7ea5040, 
input=0x7ffff7e43040, ptr=0x7fffffffe3b0, count=0x7fffffffe3d0) at 
./argus_import.c:1703
#3  0x0000000000491fc0 in ArgusReadCiscoDatagramSocket 
(parser=0x7ffff7ea5040, input=0x7ffff7e43040) at ./argus_import.c:3057
#4  0x000000000045e369 in ArgusReadStream (parser=0x7ffff7ea5040, 
queue=0xb5d1c0) at ./argus_client.c:882
#5  0x0000000000405e5b in main (argc=4, argv=0x7fffffffe6b8) at 
./argus_main.c:359

(gdb) print *queue
$3 = {count = 255, start = 0xff7fe2f640b0, end = 0xff7fe2f640b0, array = 
0x0}


# Maybe count == 255 ( == -1 ??)  means error?

up
(gdb) up
#1  0x000000000048f00c in ArgusParseCiscoRecordV9Template 
(parser=0x7ffff7ea5040, tqueue=0xb614a0, ptr=0xb5df58 "\001", len=988) at 
./argus_import.c:1592
1592             src = (struct ArgusCiscoSourceStruct *)ArgusPopQueue 
(tqueue, ARGUS_LOCK);

(gdb) list
1587       int i, done = 0;
1588
1589       if (tqueue != NULL) {
1590          int cnt = tqueue->count;
1591          for (i = 0; (i < cnt) && (templates == NULL); i++) {
1592             src = (struct ArgusCiscoSourceStruct *)ArgusPopQueue 
(tqueue, ARGUS_LOCK);
1593             if ((src->srcid == ArgusCiscoSrcId) && (src->saddr == 
ArgusCiscoSrcAddr))
1594                templates = src->templates;
1595             ArgusAddToQueue(tqueue, &src->qhdr, ARGUS_LOCK);
1596          }

(gdb) print cnt
$4 = 256

(gdb) print *tqueue
$5 = {count = 255, start = 0xff7fe2f640b0, end = 0xff7fe2f640b0, array = 0x0}



(gdb) up
#2  0x000000000048f587 in ArgusParseCiscoRecordV9 (parser=0x7ffff7ea5040, 
input=0x7ffff7e43040, ptr=0x7fffffffe3b0, count=0x7fffffffe3d0) at ./argus_import.c:1703
1703                ArgusParseCiscoRecordV9Template(parser, 
ArgusTemplateQueue, (u_char *)(entryPtrV9 + 1), (flowset_len - sizeof(*entryPtrV9)));

1700       if (flowset_len > 0) {
1701          switch (flowset_id) {
1702             case k_CiscoV9TemplateFlowsetId: {
1703                ArgusParseCiscoRecordV9Template(parser, 
ArgusTemplateQueue, (u_char *)(entryPtrV9 + 1), (flowset_len - 
sizeof(*entryPtrV9)));
1704                break;
1705             }

(gdb) print entryPtrV9
$6 = (CiscoFlowEntryV9_t *) 0xb5df54
(gdb) print * entryPtrV9
$7 = {flowset_id = 0, length = 57347}


(gdb) up
#3  0x0000000000491fc0 in ArgusReadCiscoDatagramSocket 
(parser=0x7ffff7ea5040, input=0x7ffff7e43040) at ./argus_import.c:3057
3057             if (ArgusHandleDatum (parser, input, 
input->ArgusCiscoNetFlowParse (parser, input, &ptr, &count), 
&ArgusParser->ArgusFilterCode) < 0) {
(gdb)




Maybe this could be some help.

Torbjörn W










On Fri, 24 Aug 2012, Carter Bullard wrote:

> Date: Fri, 24 Aug 2012 09:26:57 -0400
> From: Carter Bullard <carter at qosient.com>
> To: Torbjorn.Wictorin at its.uu.se
> Cc: Argus <argus-info at lists.andrew.cmu.edu>
> Subject: Re: [ARGUS] argus-clients-3.0.7.1 with full netflow v.9 support
> 
> Hey Torbjorn,Great and thanks for giving the code a run !!!!
> Any chance I can get a packet capture of the netflow traffic ra* is trying to read ?
> May only need a few packets, but something so I can debug the problem ?
> 
> Thanks again !!!!!
> 
> Carter
> 
> 
> 
> On Aug 23, 2012, at 8:07 AM, Torbjorn.Wictorin at its.uu.se wrote:
> 
>       hello
> 
>       ra fails after about 5-10 records when listening on netflow:
> 
>       01:00:00.000000 N            udp      2.1.1.1.34451 1.2.9.5.route
>       01:00:00.000000 N            udp      1.2.1.1.52659 1.2.9.1.route
>       04:54:52.000000 N            udp      2.3.9.0.15366 1.2.9.1.route
>       01:00:00.000000 N            udp      3.2.1.1.38558 1.2.9.1.route
>       23:10:28.000000 N            udp      9.2.1.3.28598 1.2.9.1.route
>       *** glibc detected *** ra: free(): invalid next size (normal):
>       0x0000000000b62cd0 ***
>       ======= Backtrace: =========
>       /lib/libc.so.6[0x7f833e5559a8]
>       /lib/libc.so.6(cfree+0x76)[0x7f833e557ab6]
>       ra[0x43cdad]
>       ra[0x48914e]
>       ra[0x4893f8]
>       ra[0x48b97a]
>       ra[0x457393]
>       ra[0x40618f]
>       /lib/libc.so.6(__libc_start_main+0xe6)[0x7f833e5001a6]
>       ra[0x403ba9]
>       ======= Memory map: ========
>       00400000-004ba000 r-xp 00000000 08:01 8110634                            
>       /usr/local/src/argus/argus-clients-3.0.7.1/bin/ra
>       006ba000-006c9000 rw-p 000ba000 08:01 8110634                            
>       /usr/local/src/argus/argus-clients-3.0.7.1/bin/ra
>       006c9000-00b9c000 rw-p 00000000 00:00 0                                  
>       ...
> 
>       Note that the time stamps in the records produced are abnormal.
>       Linux/amd64. IP:s above falsified.
> 
>       Torbjörn Wictorin, Uppsala univ.
> 
> 
> 
> 

--
Torbj

More information about the argus mailing list