Argus 3.0.2/3.0.6.1 segfaults

Carter Bullard carter at qosient.com
Wed May 29 13:08:47 EDT 2013 

Hey Robert,
Any odd protocol could be getting us, so yes, a v6 option or a v6 ICMP
packet could present us with something we haven't seen before.
I was going with a possible L2 LCP problem, as we didn't do the same
return checking in those routines as the others.  I've fixed it in argus-3.0.7.3,
but it is just a wild guess.

The next crash should tell us where we are, with symbols compiled in, 
which maybe all we need, but I would still go with " not ip " and see
what you get.

Thanks !!!!!

Carter


On May 29, 2013, at 12:09 PM, Robert Kerr <r.kerr at cranfield.ac.uk> wrote:

> On 28/05/13 18:03, Carter Bullard wrote:
>> Hey Robert,
>> Sorry you're having problems.
> 
>> The warning messages are indicative of some weird issue(s), but
>> argus does tolerate this situation pretty well.  The wire can come up
>> with strange protocols, or different encapsulations that causes us to
>> try to formulate a 5-tuple flow key, but in a protocol that we don't know
>> how to parse.
> 
> As far as I can recall I've always had the odd warning message and as
> you say it hasn't caused crashes before. Happy to help you investigate
> these once the crash is resolved.
> 
> [snip debug info]
> 
>> A way to debug this, I suspect, is to capture the packets on the same
>> wire, to see if we can get argus to fail with a reproducible packet
>> stream.  I suspect that if you captured non-IP packets using
>> tcpdump, we would find the offending packet, any opportunity
>> to do that?
> 
> Possibly... do you think IPv6 traffic is a likely culprit or something
> purely layer 2? Reason I ask is it's a dual stack segment with a healthy
> amount of IPv6 traffic. Capturing non-IP should be relatively easy, but
> capturing non-IPv4 is likely to run me out of disk space before the
> issue reoccurs.
> 
> Thanks,
> 
> -- 
> Robert Kerr
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130529/08752b95/attachment.bin>

More information about the argus mailing list