raservices crashes when processing

Carter Bullard carter at qosient.com
Thu May 16 08:30:19 EDT 2013


Hey Matt,
This is not a crash, which is a programatic unrecoverable fault.  You just didn't generate a good raservices() configuration file.

Try using the provided ./support/Config/sig.std, as a starting point for raservices(), to see if you can get good labels?

Are you sucessfully generating user data yet?

Carter

On May 15, 2013, at 5:55 PM, Matt Brown <matthewbrown at gmail.com> wrote:

> Hello all,
>  
> I took a day's worth of argus data and, as suggested on http://thread.gmane.org/gmane.network.argus/6228/focus=6234, I analyzed it with rauserdata as follows:
>  
> #racluster -r * -w day.cache
> #rauserdata -r day.cache > /tmp/raservices.conf
>  
>  
> I then inspected /tmp/raservices.conf and it's messy (lots of single lines with arbirary ports, likely sport maybe rpc?), but I figured why not give raservices a shot:
>  
> #racluster -r * -w - | raservices -f raservices.conf
>  
> I receive the following error:
> raservices[21315]: 16:51:00.727719 RaCreateSrvEntry: format error Service: http
>  
>  
> I straced the process, and I see no occurances of "http" in the output (other than the writev()); the data appears to be read correctly until a blank line is read [read(3, "", 4096)                       = 0]:
>  
> read(3, "\"  \n\nService: 48956             "..., 4096) = 4096
> read(3, "...xxxxxx"  dst ="..., 4096) = 4096
> read(3, "xxxx"..., 4096) = 689
> read(3, "", 4096)                       = 0
> close(3)                                = 0
> munmap(0xb766e000, 4096)                = 0
> gettimeofday({1368651683, 272271}, NULL) = 0
> time(NULL)                              = 1368651683
> writev(2, [{"raservices[21523]: 17:01:23.2722"..., 79}, {"\n", 1}], 2raservices[21523]: 17:01:23.272271 RaCreateSrvEntry: format error Service: http
> ) = 80
>  
>  
> Any idea on why this would be?  Is my data processing flow incorrect?
>  
>  
> Both clients are 3.0.7.8.
>  
>  
> Thanks,
>  
> Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130516/64a6305b/attachment.html>


More information about the argus mailing list