argus ppp traffic
CS Lee
geek00l at gmail.com
Thu Apr 24 21:49:04 EDT 2014
hi Carter,
Yes, I have enabled tunnel discovery in argus.conf but still segfault, I
tried it with other dump and it seems to work. For this Teredo.pcap, the
header started with
FF03 0021 and that should be ipv4 over ppp.
On Fri, Apr 25, 2014 at 9:16 AM, Carter Bullard <carter at qosient.com> wrote:
> Hey CS Lee,
> do you have tunnel discovery on in your argus.conf file ???
> the file name suggests that its teredo, which we will try to parse if that
> option is " yes ".
> Carter
>
> On Apr 24, 2014, at 4:17 PM, CS Lee <geek00l at gmail.com> wrote:
>
> hi Carter,
>
> I downloaded the pcap from pcapr.net -
>
> http://www.pcapr.net/view/tyson.key/2009/9/3/13/Teredo.pcap.html
>
> And I run into segfault when convert the packets into flow, it seems that
> it is ppp encapsulated traffic -
>
> gdb /usr/local/stow/argus-3.0.7.5-debug/sbin/argus
> GNU gdb (Ubuntu 7.7-0ubuntu3) 7.7
> Copyright (C) 2014 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <
> http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law. Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-linux-gnu".
> Type "show configuration" for configuration details.
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>.
> Find the GDB manual and other documentation resources online at:
> <http://www.gnu.org/software/gdb/documentation/>.
> For help, type "help".
> Type "apropos word" to search for commands related to "word"...
> Reading symbols from /usr/local/stow/argus-3.0.7.5-debug/sbin/argus...done.
> (gdb) run -r Teredo.pcap -w Teredo.arg3
> Starting program: /usr/local/stow/argus-3.0.7.5-debug/sbin/argus -r
> Teredo.pcap -w Teredo.arg3
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> [New Thread 0x7ffff6a81700 (LWP 22830)]
> [New Thread 0x7ffff5df4700 (LWP 22831)]
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7ffff5df4700 (LWP 22831)]
> ArgusCreateIPv4Flow (model=model at entry=0x7ffff7e0f010, ip=0x0) at
> ArgusModeler.c:4076
> 4076 unsigned char *nxtHdr = (unsigned char *)((char *)ip +
> (ip->ip_hl << 2));
> (gdb) where
> #0 ArgusCreateIPv4Flow (model=model at entry=0x7ffff7e0f010, ip=0x0) at
> ArgusModeler.c:4076
> #1 0x000000000040cac1 in ArgusCreateFlow (model=model at entry=0x7ffff7e0f010,
>
> ptr=ptr at entry=0x66ad44, length=length at entry=89) at ArgusModeler.c:1861
> #2 0x000000000040d3bd in ArgusProcessIpPacket (model=0x7ffff7e0f010,
> ip=ip at entry=0x66ad44, length=length at entry=89, tvp=tvp at entry
> =0x7ffff5df3a40)
> at ArgusModeler.c:1675
> #3 0x000000000040e17b in ArgusPppPacket (user=0x7ffff5e76010 "",
> h=0x7ffff5df3b30,
> p=0x66ad40 "\377\003") at ArgusSource.c:3229
> #4 0x00007ffff7bb8b71 in ?? () from
> /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
> #5 0x00000000004138a4 in ArgusGetPackets (arg=0x7ffff5e76010) at
> ArgusSource.c:4113
> #6 0x00007ffff7986182 in start_thread (arg=0x7ffff5df4700) at
> pthread_create.c:312
> #7 0x00007ffff719430d in clone () at
> ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.com.my
>
>
--
Best Regards,
CS Lee<geek00L[at]gmail.com>
http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140425/51632d21/attachment.html>
More information about the argus
mailing list