Argus 3.0.2/3.0.6.1 segfaults

Robert Kerr r.kerr at cranfield.ac.uk
Wed May 29 12:09:02 EDT 2013


On 28/05/13 18:03, Carter Bullard wrote:
> Hey Robert,
> Sorry you're having problems.

> The warning messages are indicative of some weird issue(s), but
> argus does tolerate this situation pretty well.  The wire can come up
> with strange protocols, or different encapsulations that causes us to
> try to formulate a 5-tuple flow key, but in a protocol that we don't know
> how to parse.

As far as I can recall I've always had the odd warning message and as
you say it hasn't caused crashes before. Happy to help you investigate
these once the crash is resolved.

[snip debug info]

> A way to debug this, I suspect, is to capture the packets on the same
> wire, to see if we can get argus to fail with a reproducible packet
> stream.  I suspect that if you captured non-IP packets using
> tcpdump, we would find the offending packet, any opportunity
> to do that?

Possibly... do you think IPv6 traffic is a likely culprit or something
purely layer 2? Reason I ask is it's a dual stack segment with a healthy
amount of IPv6 traffic. Capturing non-IP should be relatively easy, but
capturing non-IPv4 is likely to run me out of disk space before the
issue reoccurs.

Thanks,

-- 
 Robert Kerr



More information about the argus mailing list