argus-clients-3.0.7.16 now available

David Edelman dedelman at iname.com
Mon Sep 30 19:50:11 EDT 2013 

Carter the problem that I see with the GeoIP labeling is triggered only if I
include the metro attribute. I get a segfault as follows:

Program received signal SIGSEGV, Segmentation fault.
0x001ac38b in strlen () from /lib/libc.so.6
Missing separate debuginfos, use: debuginfo-install glibc-2.9-3.i686
libgcc-4.3.2-7.i386 tcp_wrappers-libs-7.6-53.fc10.i386
zlib-1.2.3-18.fc9.i386
(gdb) info threads
  3 Thread 0xb66adb90 (LWP 10053)  0x00b65424 in __kernel_vsyscall ()
  2 Thread 0xb70aeb90 (LWP 10052)  0x00b65424 in __kernel_vsyscall ()
* 1 Thread 0xb7fe7b00 (LWP 10043)  0x001ac38b in strlen () from
/lib/libc.so.6
(gdb) thread 1
[Switching to thread 1 (Thread 0xb7fe7b00 (LWP 10043))]#0  0x001ac38b in
strlen () from /lib/libc.so.6
(gdb) where
#0  0x001ac38b in strlen () from /lib/libc.so.6
#1  0x001784e0 in vfprintf () from /lib/libc.so.6
#2  0x0019cfc4 in vsnprintf () from /lib/libc.so.6
#3  0x0017e972 in snprintf () from /lib/libc.so.6
#4  0x080d7360 in ArgusPrintGeoIPRecord (parser=0xb7f74008, gir=0xa7cd118,
label=0xbffaf14c
"sname=laccolbogwipc001.lac.nsroot.net:dname=198.41.0.4:dport=domain:scity=R
eston,", found=3,
    prefix=0x80fc702 "scity=") at ./argus_label.c:467
#5  0x080d8100 in ArgusLabelRecord (parser=0xb7f74008, argus=0xa7cc280) at
./argus_label.c:780
#6  0x0804c266 in RaProcessRecord (parser=0xb7f74008, argus=0xb7e50554) at
./radium.c:532
#7  0x08054015 in RaScheduleRecord (parser=0xb7f74008, ns=0xb7e50554) at
./argus_util.c:2578
#8  0x080545e8 in ArgusHandleDatum (parser=0xb7f74008, input=0xb7e50008,
ptr=0xb3a68008, filter=0xb7fc4d9c) at ./argus_util.c:2689
#9  0x080a265a in ArgusReadStreamSocket (parser=0xb7f74008,
input=0xb7e50008) at ./argus_client.c:440
#10 0x080a3119 in ArgusReadStream (parser=0xb7f74008, queue=0x85e7128) at
./argus_client.c:755
#11 0x0804ddfc in main (argc=3, argv=0xbffff694) at ./argus_main.c:365


I looked at the other two threads and they don't show any signs of
contributing to the problem. If I remove metro from the attributes list,
everything is fine. If I add two other attributes, (region and cco) that
seems fine. GDB break at ArgusPrintGeoIPRecord and then at the case item for
the metro code shows that there is a value for the metro code (613) and that
all of the parameters seem to be valid including the format (%s) 



--Dave



-----Original Message-----
From: Carter Bullard [mailto:carter at qosient.com] 
Sent: Monday, September 30, 2013 10:20 AM
To: David Edelman
Cc: Argus
Subject: Re: [ARGUS] argus-clients-3.0.7.16 now available

Hey Dave,
Thanks !!!!!!
I'll fix these today / this week.

I don't get the problems you see with GeoIP.
If you could do the gdb() thing that would be great, if not, I'll
need to know machine / OS type, how radium is called, etc.  For
me to replicate the problem to debug, I'll also need the label
configuration files you are using.

I'll look at the Netflow issue, do you expect the output to be:
   00:00:00:00:00:03

or would you rather it be:
   3

I can make an exception for Netflow data and L2 data types, but
there isn't a real L2 type of (short int), so I'll have
to think of what to do to make this exception throughout the
whole system.

Carter



On Sep 28, 2013, at 1:10 PM, David Edelman <dedelman at iname.com> wrote:

> Carter,
> 
> This version looks pretty good. I've been hammering on rasqlinsert and it
> looks very stable. I have seen two problems:
> 
> 1 - If .rarc is set to only translate proto then using :n in ratop and
> setting the value to all or port does not get the port names to display.
> Setting it to all will do the hostname translation but not port. If .rarc
> is set to port, then it all works
> 2 - If I specify any of the GeoIP labeling options then radium seg faults.
> I downloaded the latest libraries and data files from MaxMind and rebuild
> the clients, but no luck. As far as ldd can tell, I am linked with the
> correct library. If you need me to, I can do some debugging on this later
> today.
> 
> 
> A nit, but not really a problem - dmac and smac have the NetFlow port
> index numbers but it looks like you may be doing hton conversion on the
> value so the display is a bit odd. I get 00:00:00:00:03:00  for port index
> 3
> 
> 
> 
> 
> --Dave
> 
> 
> 
> On 9/27/13 3:32 AM, "Carter Bullard" <carter at qosient.com> wrote:
> 
>> Gentle people,
>> New clients are on the development server, which fixes all known bugs,
>> well, at least the ones that I'm aware of that needed to be fixed.
>> However, if you download the code, and your problem is not resolved,
>> please holler, as I'd like to get the code ready for stable release.
>> 
>>  http://qosient.com/argus/dev/argus-clients-latest.tar.gz
>> 
>> 
>> This version has failed and now passed a large number of memory tests,
>> as we had a serious stack corruption problem after fixing the big label
>> merging and processing bugs a few weeks back.
>> 
>> Lots of little nits are now working, and of course, filtering and sorting
>> with -0.0 as a valid value, are now working.
>> 
>> I still need to work on ranonymize() performance, and followup on SQL
>> database performance issues.
>> 
>> And then on to argus-3.0.7.5Š.
>> 
>> Hope all is most excellent, and thanks for all the help !!!!!
>> 
>> Carter
>> 
>> 
>> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6283 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130930/4aede9c3/attachment.bin>

More information about the argus mailing list