Argus 3.0.2/3.0.6.1 segfaults

Carter Bullard carter at qosient.com
Tue May 28 13:03:38 EDT 2013


Hey Robert,
Sorry you're having problems.

The warning messages are indicative of some weird issue(s), but
argus does tolerate this situation pretty well.  The wire can come up
with strange protocols, or different encapsulations that causes us to
try to formulate a 5-tuple flow key, but in a protocol that we don't know
how to parse.

But we're dumping in other code.  To find out what instruction we're
dying on, I do need for you to compile with the development tags
turned on.  Don't need debug at this point, so lets not turn that on.

   % touch .devel
   % ./configure
   % make clean; make

If you can test, it would be great to see if argus-3.0.7.2 also has this
problem.  You can grab it here:
   http://qosient.com/argus/dev/argus-latest.tar.gz

With the .devel tag turned on, when we dump, you should at least
get a line number, which is what we need.  If that doesn't work,
running argus on your 3.0.6 test machine under gdb() will give
us the line number.

A way to debug this, I suspect, is to capture the packets on the same
wire, to see if we can get argus to fail with a reproducible packet
stream.  I suspect that if you captured non-IP packets using
tcpdump, we would find the offending packet, any opportunity
to do that?

Carter 


On May 28, 2013, at 12:29 PM, Robert Kerr <r.kerr at cranfield.ac.uk> wrote:

> Hi,
> 
> I've been having an issue with lately with one of my argus sensors
> crashing roughly once a week. The sensor in question was running argus
> 3.0.2 on RHEL5 on reasonably old hardware. I wondered whether the
> hardware was struggling to cope with the amount of traffic and so
> decided to build a new sensor on brand new hardware. I built 3.0.6.1 on
> RHEL6 and set it running alongside the old box - both receiving the same
> traffic feed. Everything looked good for a few days but then argus on
> both boxes died at exactly the same time. I guess this suggests there is
> a certain packet or sequence of packets argus doesn't like much. The
> only argus related messages in syslog are:
> 
> 3.0.2
> May 26 07:04:02 argus[12332]: 26 May 13 07:04:02.255034 ArgusNewFlow()
> flow key is not correct len equals zero
> May 26 07:04:02 argus[12332]: 26 May 13 07:04:02.255144 ArgusNewFlow()
> flow key is not correct len equals zero
> May 26 11:59:35 kernel: argus[12332]: segfault at 0000000000000000 rip
> 0000000000408f1d rsp 00007fff58cf5a30 error 4
> 
> 3.0.6.1
> May 26 07:04:02 argus[22813]: 26 May 13 07:04:02.254647 ArgusNewFlow()
> flow key is not correct len equals zero
> May 26 07:04:02 argus[22813]: 26 May 13 07:04:02.255644 ArgusNewFlow()
> flow key is not correct len equals zero
> May 26 11:59:35 kernel: argus[22823]: segfault at 0 ip 0000000000411c20
> sp 00007f611dfe17f0 error 4 in argus[400000+a0000]
> 
> I'm assuming the next step would be to build argus with .debug and wait
> for it to crash again? Anything else I need to do?
> 
> -- 
> Robert Kerr
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130528/c1185435/attachment.bin>


More information about the argus mailing list