argus ppp traffic

[Carter Bullard]

Hey CS Lee,
If you turn TD off, does it get better ???
Carter

Carter Bullard, QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

> On Apr 24, 2014, at 6:49 PM, CS Lee <geek00l at gmail.com> wrote:
> 
> hi Carter, 
> 
> Yes, I have enabled tunnel discovery in argus.conf but still segfault, I tried it with other dump and it seems to work. For this Teredo.pcap, the header started with 
> 
> FF03 0021 and that should be ipv4 over ppp.
> 
> 
>> On Fri, Apr 25, 2014 at 9:16 AM, Carter Bullard <carter at qosient.com> wrote:
>> Hey CS Lee,
>> do you have tunnel discovery on in your argus.conf file ???
>> the file name suggests that its teredo, which we will try to parse if that option is " yes ".
>> Carter
>> 
>>> On Apr 24, 2014, at 4:17 PM, CS Lee <geek00l at gmail.com> wrote:
>>> 
>>> hi Carter,
>>> 
>>> I downloaded the pcap from pcapr.net - 
>>> 
>>> http://www.pcapr.net/view/tyson.key/2009/9/3/13/Teredo.pcap.html
>>> 
>>> And I run into segfault when convert the packets into flow, it seems that it is ppp encapsulated traffic -
>>> 
>>> gdb /usr/local/stow/argus-3.0.7.5-debug/sbin/argus 
>>> GNU gdb (Ubuntu 7.7-0ubuntu3) 7.7
>>> Copyright (C) 2014 Free Software Foundation, Inc.
>>> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
>>> This is free software: you are free to change and redistribute it.
>>> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
>>> and "show warranty" for details.
>>> This GDB was configured as "x86_64-linux-gnu".
>>> Type "show configuration" for configuration details.
>>> For bug reporting instructions, please see:
>>> <http://www.gnu.org/software/gdb/bugs/>.
>>> Find the GDB manual and other documentation resources online at:
>>> <http://www.gnu.org/software/gdb/documentation/>.
>>> For help, type "help".
>>> Type "apropos word" to search for commands related to "word"...
>>> Reading symbols from /usr/local/stow/argus-3.0.7.5-debug/sbin/argus...done.
>>> (gdb) run -r Teredo.pcap -w Teredo.arg3
>>> Starting program: /usr/local/stow/argus-3.0.7.5-debug/sbin/argus -r Teredo.pcap -w Teredo.arg3
>>> [Thread debugging using libthread_db enabled]
>>> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
>>> [New Thread 0x7ffff6a81700 (LWP 22830)]
>>> [New Thread 0x7ffff5df4700 (LWP 22831)]
>>> 
>>> Program received signal SIGSEGV, Segmentation fault.
>>> [Switching to Thread 0x7ffff5df4700 (LWP 22831)]
>>> ArgusCreateIPv4Flow (model=model at entry=0x7ffff7e0f010, ip=0x0) at ArgusModeler.c:4076
>>> 4076       unsigned char *nxtHdr = (unsigned char *)((char *)ip + (ip->ip_hl << 2));
>>> (gdb) where
>>> #0  ArgusCreateIPv4Flow (model=model at entry=0x7ffff7e0f010, ip=0x0) at ArgusModeler.c:4076
>>> #1  0x000000000040cac1 in ArgusCreateFlow (model=model at entry=0x7ffff7e0f010, 
>>>     ptr=ptr at entry=0x66ad44, length=length at entry=89) at ArgusModeler.c:1861
>>> #2  0x000000000040d3bd in ArgusProcessIpPacket (model=0x7ffff7e0f010, 
>>>     ip=ip at entry=0x66ad44, length=length at entry=89, tvp=tvp at entry=0x7ffff5df3a40)
>>>     at ArgusModeler.c:1675
>>> #3  0x000000000040e17b in ArgusPppPacket (user=0x7ffff5e76010 "", h=0x7ffff5df3b30, 
>>>     p=0x66ad40 "\377\003") at ArgusSource.c:3229
>>> #4  0x00007ffff7bb8b71 in ?? () from /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
>>> #5  0x00000000004138a4 in ArgusGetPackets (arg=0x7ffff5e76010) at ArgusSource.c:4113
>>> #6  0x00007ffff7986182 in start_thread (arg=0x7ffff5df4700) at pthread_create.c:312
>>> #7  0x00007ffff719430d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
>>> 
>>> 
>>> -- 
>>> Best Regards,
>>> 
>>> CS Lee<geek00L[at]gmail.com>
>>> 
>>> http://geek00l.blogspot.com
>>> http://defcraft.com.my
> 
> 
> 
> -- 
> Best Regards,
> 
> CS Lee<geek00L[at]gmail.com>
> 
> http://geek00l.blogspot.com
> http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140425/3eadf4b2/attachment.html>