Direction and IP/TCP timeout settings
Carter Bullard
carter at qosient.com
Thu Jul 18 22:49:32 EDT 2013
Hey Craig,
If you can share that packet file, I'd love to see what could
have dumped argus. If not, if you could compile argus with
symbols compiled in (touch .devel; ./configure; make), when
it dumps, we'll see the line number.
Carter
On Jul 18, 2013, at 8:43 PM, Craig Merchant <cmerchant at responsys.com> wrote:
> Just wanted to give you another data point…
>
> During a sample period, racluster found 448391 flows that contained 5,266,137 packets. It was unsure of the direction of about 60% of those flows. So if Argus missed both the SYN and SYNACK for those 60% because those packets were dropped, we should see around 538,069 dropped packets. Which would be a little over 10% of the total packet volume. Yet the interface is showing something like 0.1% packet drop.
>
> I recorded about 10m packets using tcpdump (tcpdump -i eth3 -w tcpdump.pcap). I tried to convert them to argus format by running: argus -r tcpdump.pcap -A -J -R -Z -w tcpdump.argus
>
> I got the following:
>
> *** glibc detected *** argus: double free or corruption (fasttop): 0x00000000025 bc610 ***
> ======= Backtrace: =========
> /lib64/libc.so.6(+0x760e6)[0x7fa22635e0e6]
> argus[0x42b465]
> argus[0x41b5fc]
> argus[0x40458b]
> argus[0x4070f6]
> /lib64/libc.so.6(__libc_start_main+0xfd)[0x7fa226306cdd]
> argus[0x403bd9]
> ======= Memory map: ========
> 00400000-00461000 r-xp 00000000 fd:00 71223417 /usr/lo cal/sbin/argus
> 00660000-00664000 rw-p 00060000 fd:00 71223417 /usr/lo cal/sbin/argus
> 00664000-0066a000 rw-p 00000000 00:00 0
> 025bc000-025dd000 rw-p 00000000 00:00 0 [heap]
> 7fa225a98000-7fa225aae000 r-xp 00000000 fd:00 78233953 /lib64/ libgcc_s-4.4.7-20120601.so.1
> 7fa225aae000-7fa225cad000 ---p 00016000 fd:00 78233953 /lib64/ libgcc_s-4.4.7-20120601.so.1
> 7fa225cad000-7fa225cae000 rw-p 00015000 fd:00 78233953 /lib64/ libgcc_s-4.4.7-20120601.so.1
> 7fa225cb5000-7fa2260c0000 rw-p 00000000 00:00 0
> 7fa2260c0000-7fa2260e3000 r-xp 00000000 fd:00 9388269 /opt/rb /lib/libpfring.so
> 7fa2260e3000-7fa2262e2000 ---p 00023000 fd:00 9388269 /opt/rb /lib/libpfring.so
> 7fa2262e2000-7fa2262e4000 rw-p 00022000 fd:00 9388269 /opt/rb /lib/libpfring.so
> 7fa2262e8000-7fa226472000 r-xp 00000000 fd:00 78233613 /lib64/ libc-2.12.so
> 7fa226472000-7fa226671000 ---p 0018a000 fd:00 78233613 /lib64/ libc-2.12.so
> 7fa226671000-7fa226675000 r--p 00189000 fd:00 78233613 /lib64/ libc-2.12.so
> 7fa226675000-7fa226676000 rw-p 0018d000 fd:00 78233613 /lib64/ libc-2.12.so
> 7fa226676000-7fa22667b000 rw-p 00000000 00:00 0
> 7fa226680000-7fa226703000 r-xp 00000000 fd:00 78233621 /lib64/ libm-2.12.so
> 7fa226703000-7fa226902000 ---p 00083000 fd:00 78233621 /lib64/ libm-2.12.so
> 7fa226902000-7fa226903000 r--p 00082000 fd:00 78233621 /lib64/ libm-2.12.so
> 7fa226903000-7fa226904000 rw-p 00083000 fd:00 78233621 /lib64/ libm-2.12.so
> 7fa226908000-7fa22691f000 r-xp 00000000 fd:00 78233637 /lib64/ libpthread-2.12.so
> 7fa22691f000-7fa226b1f000 ---p 00017000 fd:00 78233637 /lib64/ libpthread-2.12.so
> 7fa226b1f000-7fa226b20000 r--p 00017000 fd:00 78233637 /lib64/ libpthread-2.12.so
> 7fa226b20000-7fa226b21000 rw-p 00018000 fd:00 78233637 /lib64/ libpthread-2.12.so
> 7fa226b21000-7fa226b25000 rw-p 00000000 00:00 0
> 7fa226b28000-7fa226b5f000 r-xp 00000000 fd:00 9388267 /opt/rb /lib/libpcap.so.1.1.1
> 7fa226b5f000-7fa226d5f000 ---p 00037000 fd:00 9388267 /opt/rb /lib/libpcap.so.1.1.1
> 7fa226d5f000-7fa226d61000 rw-p 00037000 fd:00 9388267 /opt/rb /lib/libpcap.so.1.1.1
> 7fa226d61000-7fa226d62000 rw-p 00000000 00:00 0
> 7fa226d68000-7fa226d88000 r-xp 00000000 fd:00 78233603 /lib64/ ld-2.12.so
> 7fa226efd000-7fa226f80000 rw-p 00000000 00:00 0
> 7fa226f85000-7fa226f87000 rw-p 00000000 00:00 0
> 7fa226f87000-7fa226f88000 r--p 0001f000 fd:00 78233603 /lib64/ ld-2.12.so
> 7fa226f88000-7fa226f89000 rw-p 00020000 fd:00 78233603 /lib64/ ld-2.12.so
> 7fa226f89000-7fa226f8b000 rw-p 00000000 00:00 0
> 7fa226f8b000-7fa226f8d000 rw-p 00000000 00:00 0
> 7fff11d0c000-7fff11d21000 rw-p 00000000 00:00 0 [stack]
> 7fff11d70000-7fff11d71000 r-xp 00000000 00:00 0 [vdso]
> ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsysca ll]
> Aborted
>
> I've got no idea what that means...
>
> Am I following the right steps to convert the output of tcpdump into something ra clients can read?
>
> Thanks.
>
> Craig
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130718/7aa4e3fd/attachment.bin>
More information about the argus
mailing list