argus-clients-3.0.7.16 now available

David Edelman dedelman at iname.com
Tue Oct 1 18:50:50 EDT 2013 

Carter,

I'll collect some of the Netflow material and send it to you. Just to
complete the fix below, it looks like the area code is now an integer as
well.

--Dave



-----Original Message-----
From: Carter Bullard [mailto:carter at qosient.com] 
Sent: Tuesday, October 01, 2013 11:45 AM
To: David Edelman
Cc: 'Argus'
Subject: Re: [ARGUS] argus-clients-3.0.7.16 now available

Hey Dave,
OK, this is fixed.  We were trying to parse the GeoIP metro value
as a string, rather than an integer.  Seems that MaxMind is changing
things in their data structures.  I just downloaded 1.5.1, and a few
things are different, like having a netmask value, etc..

I've updated argus-3.0.7.17 to reflect the modifications.


Here is a quick fix patch:

==== //depot/argus/clients/include/argus_label.h#20 -
//argus/clients/include/argus_label.h ====

159c159
<    { "metro", "%s", 5, 16, 0, ARGUS_GEOIP_METRO_CODE},
---
>    { "metro", "%d", 5, 16, 0, ARGUS_GEOIP_METRO_CODE},

Carter


On Sep 30, 2013, at 7:50 PM, David Edelman <dedelman at iname.com> wrote:

> Carter the problem that I see with the GeoIP labeling is triggered only if
I
> include the metro attribute. I get a segfault as follows:
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x001ac38b in strlen () from /lib/libc.so.6
> Missing separate debuginfos, use: debuginfo-install glibc-2.9-3.i686
> libgcc-4.3.2-7.i386 tcp_wrappers-libs-7.6-53.fc10.i386
> zlib-1.2.3-18.fc9.i386
> (gdb) info threads
>  3 Thread 0xb66adb90 (LWP 10053)  0x00b65424 in __kernel_vsyscall ()
>  2 Thread 0xb70aeb90 (LWP 10052)  0x00b65424 in __kernel_vsyscall ()
> * 1 Thread 0xb7fe7b00 (LWP 10043)  0x001ac38b in strlen () from
> /lib/libc.so.6
> (gdb) thread 1
> [Switching to thread 1 (Thread 0xb7fe7b00 (LWP 10043))]#0  0x001ac38b in
> strlen () from /lib/libc.so.6
> (gdb) where
> #0  0x001ac38b in strlen () from /lib/libc.so.6
> #1  0x001784e0 in vfprintf () from /lib/libc.so.6
> #2  0x0019cfc4 in vsnprintf () from /lib/libc.so.6
> #3  0x0017e972 in snprintf () from /lib/libc.so.6
> #4  0x080d7360 in ArgusPrintGeoIPRecord (parser=0xb7f74008, gir=0xa7cd118,
> label=0xbffaf14c
>
"sname=laccolbogwipc001.lac.nsroot.net:dname=198.41.0.4:dport=domain:scity=R
> eston,", found=3,
>    prefix=0x80fc702 "scity=") at ./argus_label.c:467
> #5  0x080d8100 in ArgusLabelRecord (parser=0xb7f74008, argus=0xa7cc280) at
> ./argus_label.c:780
> #6  0x0804c266 in RaProcessRecord (parser=0xb7f74008, argus=0xb7e50554) at
> ./radium.c:532
> #7  0x08054015 in RaScheduleRecord (parser=0xb7f74008, ns=0xb7e50554) at
> ./argus_util.c:2578
> #8  0x080545e8 in ArgusHandleDatum (parser=0xb7f74008, input=0xb7e50008,
> ptr=0xb3a68008, filter=0xb7fc4d9c) at ./argus_util.c:2689
> #9  0x080a265a in ArgusReadStreamSocket (parser=0xb7f74008,
> input=0xb7e50008) at ./argus_client.c:440
> #10 0x080a3119 in ArgusReadStream (parser=0xb7f74008, queue=0x85e7128) at
> ./argus_client.c:755
> #11 0x0804ddfc in main (argc=3, argv=0xbffff694) at ./argus_main.c:365
> 
> 
> I looked at the other two threads and they don't show any signs of
> contributing to the problem. If I remove metro from the attributes list,
> everything is fine. If I add two other attributes, (region and cco) that
> seems fine. GDB break at ArgusPrintGeoIPRecord and then at the case item
for
> the metro code shows that there is a value for the metro code (613) and
that
> all of the parameters seem to be valid including the format (%s) 
> 
> 
> 
> --Dave
> 
> 
> 
> -----Original Message-----
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: Monday, September 30, 2013 10:20 AM
> To: David Edelman
> Cc: Argus
> Subject: Re: [ARGUS] argus-clients-3.0.7.16 now available
> 
> Hey Dave,
> Thanks !!!!!!
> I'll fix these today / this week.
> 
> I don't get the problems you see with GeoIP.
> If you could do the gdb() thing that would be great, if not, I'll
> need to know machine / OS type, how radium is called, etc.  For
> me to replicate the problem to debug, I'll also need the label
> configuration files you are using.
> 
> I'll look at the Netflow issue, do you expect the output to be:
>   00:00:00:00:00:03
> 
> or would you rather it be:
>   3
> 
> I can make an exception for Netflow data and L2 data types, but
> there isn't a real L2 type of (short int), so I'll have
> to think of what to do to make this exception throughout the
> whole system.
> 
> Carter
> 
> 
> 
> On Sep 28, 2013, at 1:10 PM, David Edelman <dedelman at iname.com> wrote:
> 
>> Carter,
>> 
>> This version looks pretty good. I've been hammering on rasqlinsert and it
>> looks very stable. I have seen two problems:
>> 
>> 1 - If .rarc is set to only translate proto then using :n in ratop and
>> setting the value to all or port does not get the port names to display.
>> Setting it to all will do the hostname translation but not port. If .rarc
>> is set to port, then it all works
>> 2 - If I specify any of the GeoIP labeling options then radium seg
faults.
>> I downloaded the latest libraries and data files from MaxMind and rebuild
>> the clients, but no luck. As far as ldd can tell, I am linked with the
>> correct library. If you need me to, I can do some debugging on this later
>> today.
>> 
>> 
>> A nit, but not really a problem - dmac and smac have the NetFlow port
>> index numbers but it looks like you may be doing hton conversion on the
>> value so the display is a bit odd. I get 00:00:00:00:03:00  for port
index
>> 3
>> 
>> 
>> 
>> 
>> --Dave
>> 
>> 
>> 
>> On 9/27/13 3:32 AM, "Carter Bullard" <carter at qosient.com> wrote:
>> 
>>> Gentle people,
>>> New clients are on the development server, which fixes all known bugs,
>>> well, at least the ones that I'm aware of that needed to be fixed.
>>> However, if you download the code, and your problem is not resolved,
>>> please holler, as I'd like to get the code ready for stable release.
>>> 
>>> http://qosient.com/argus/dev/argus-clients-latest.tar.gz
>>> 
>>> 
>>> This version has failed and now passed a large number of memory tests,
>>> as we had a serious stack corruption problem after fixing the big label
>>> merging and processing bugs a few weeks back.
>>> 
>>> Lots of little nits are now working, and of course, filtering and
sorting
>>> with -0.0 as a valid value, are now working.
>>> 
>>> I still need to work on ranonymize() performance, and followup on SQL
>>> database performance issues.
>>> 
>>> And then on to argus-3.0.7.5Š.
>>> 
>>> Hope all is most excellent, and thanks for all the help !!!!!
>>> 
>>> Carter
>>> 
>>> 
>>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6283 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20131001/2cd32aa5/attachment.bin>

More information about the argus mailing list