Direction and IP/TCP timeout settings
Craig Merchant
cmerchant at responsys.com
Thu Jul 18 20:43:54 EDT 2013
Just wanted to give you another data point…
During a sample period, racluster found 448391 flows that contained 5,266,137 packets. It was unsure of the direction of about 60% of those flows. So if Argus missed both the SYN and SYNACK for those 60% because those packets were dropped, we should see around 538,069 dropped packets. Which would be a little over 10% of the total packet volume. Yet the interface is showing something like 0.1% packet drop.
I recorded about 10m packets using tcpdump (tcpdump -i eth3 -w tcpdump.pcap). I tried to convert them to argus format by running: argus -r tcpdump.pcap -A -J -R -Z -w tcpdump.argus
I got the following:
*** glibc detected *** argus: double free or corruption (fasttop): 0x00000000025 bc610 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x760e6)[0x7fa22635e0e6]
argus[0x42b465]
argus[0x41b5fc]
argus[0x40458b]
argus[0x4070f6]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x7fa226306cdd]
argus[0x403bd9]
======= Memory map: ========
00400000-00461000 r-xp 00000000 fd:00 71223417 /usr/lo cal/sbin/argus
00660000-00664000 rw-p 00060000 fd:00 71223417 /usr/lo cal/sbin/argus
00664000-0066a000 rw-p 00000000 00:00 0
025bc000-025dd000 rw-p 00000000 00:00 0 [heap]
7fa225a98000-7fa225aae000 r-xp 00000000 fd:00 78233953 /lib64/ libgcc_s-4.4.7-20120601.so.1
7fa225aae000-7fa225cad000 ---p 00016000 fd:00 78233953 /lib64/ libgcc_s-4.4.7-20120601.so.1
7fa225cad000-7fa225cae000 rw-p 00015000 fd:00 78233953 /lib64/ libgcc_s-4.4.7-20120601.so.1
7fa225cb5000-7fa2260c0000 rw-p 00000000 00:00 0
7fa2260c0000-7fa2260e3000 r-xp 00000000 fd:00 9388269 /opt/rb /lib/libpfring.so
7fa2260e3000-7fa2262e2000 ---p 00023000 fd:00 9388269 /opt/rb /lib/libpfring.so
7fa2262e2000-7fa2262e4000 rw-p 00022000 fd:00 9388269 /opt/rb /lib/libpfring.so
7fa2262e8000-7fa226472000 r-xp 00000000 fd:00 78233613 /lib64/ libc-2.12.so
7fa226472000-7fa226671000 ---p 0018a000 fd:00 78233613 /lib64/ libc-2.12.so
7fa226671000-7fa226675000 r--p 00189000 fd:00 78233613 /lib64/ libc-2.12.so
7fa226675000-7fa226676000 rw-p 0018d000 fd:00 78233613 /lib64/ libc-2.12.so
7fa226676000-7fa22667b000 rw-p 00000000 00:00 0
7fa226680000-7fa226703000 r-xp 00000000 fd:00 78233621 /lib64/ libm-2.12.so
7fa226703000-7fa226902000 ---p 00083000 fd:00 78233621 /lib64/ libm-2.12.so
7fa226902000-7fa226903000 r--p 00082000 fd:00 78233621 /lib64/ libm-2.12.so
7fa226903000-7fa226904000 rw-p 00083000 fd:00 78233621 /lib64/ libm-2.12.so
7fa226908000-7fa22691f000 r-xp 00000000 fd:00 78233637 /lib64/ libpthread-2.12.so
7fa22691f000-7fa226b1f000 ---p 00017000 fd:00 78233637 /lib64/ libpthread-2.12.so
7fa226b1f000-7fa226b20000 r--p 00017000 fd:00 78233637 /lib64/ libpthread-2.12.so
7fa226b20000-7fa226b21000 rw-p 00018000 fd:00 78233637 /lib64/ libpthread-2.12.so
7fa226b21000-7fa226b25000 rw-p 00000000 00:00 0
7fa226b28000-7fa226b5f000 r-xp 00000000 fd:00 9388267 /opt/rb /lib/libpcap.so.1.1.1
7fa226b5f000-7fa226d5f000 ---p 00037000 fd:00 9388267 /opt/rb /lib/libpcap.so.1.1.1
7fa226d5f000-7fa226d61000 rw-p 00037000 fd:00 9388267 /opt/rb /lib/libpcap.so.1.1.1
7fa226d61000-7fa226d62000 rw-p 00000000 00:00 0
7fa226d68000-7fa226d88000 r-xp 00000000 fd:00 78233603 /lib64/ ld-2.12.so
7fa226efd000-7fa226f80000 rw-p 00000000 00:00 0
7fa226f85000-7fa226f87000 rw-p 00000000 00:00 0
7fa226f87000-7fa226f88000 r--p 0001f000 fd:00 78233603 /lib64/ ld-2.12.so
7fa226f88000-7fa226f89000 rw-p 00020000 fd:00 78233603 /lib64/ ld-2.12.so
7fa226f89000-7fa226f8b000 rw-p 00000000 00:00 0
7fa226f8b000-7fa226f8d000 rw-p 00000000 00:00 0
7fff11d0c000-7fff11d21000 rw-p 00000000 00:00 0 [stack]
7fff11d70000-7fff11d71000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsysca ll]
Aborted
I've got no idea what that means...
Am I following the right steps to convert the output of tcpdump into something ra clients can read?
Thanks.
Craig
More information about the argus
mailing list