argus ppp traffic

CS Lee geek00l at gmail.com
Fri Apr 25 08:47:45 EDT 2014


hi Carter,

Same, I have tested both and the segfault happens.


On Fri, Apr 25, 2014 at 8:46 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey CS Lee,
> If you turn TD off, does it get better ???
> Carter
>
> Carter Bullard, QoSient, LLC
> 150 E. 57th Street Suite 12D
> New York, New York 10022
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
> On Apr 24, 2014, at 6:49 PM, CS Lee <geek00l at gmail.com> wrote:
>
> hi Carter,
>
> Yes, I have enabled tunnel discovery in argus.conf but still segfault, I
> tried it with other dump and it seems to work. For this Teredo.pcap, the
> header started with
>
> FF03 0021 and that should be ipv4 over ppp.
>
>
> On Fri, Apr 25, 2014 at 9:16 AM, Carter Bullard <carter at qosient.com>wrote:
>
>> Hey CS Lee,
>> do you have tunnel discovery on in your argus.conf file ???
>> the file name suggests that its teredo, which we will try to parse if
>> that option is " yes ".
>> Carter
>>
>> On Apr 24, 2014, at 4:17 PM, CS Lee <geek00l at gmail.com> wrote:
>>
>> hi Carter,
>>
>> I downloaded the pcap from pcapr.net -
>>
>> http://www.pcapr.net/view/tyson.key/2009/9/3/13/Teredo.pcap.html
>>
>> And I run into segfault when convert the packets into flow, it seems that
>> it is ppp encapsulated traffic -
>>
>> gdb /usr/local/stow/argus-3.0.7.5-debug/sbin/argus
>> GNU gdb (Ubuntu 7.7-0ubuntu3) 7.7
>> Copyright (C) 2014 Free Software Foundation, Inc.
>> License GPLv3+: GNU GPL version 3 or later <
>> http://gnu.org/licenses/gpl.html>
>> This is free software: you are free to change and redistribute it.
>> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
>> and "show warranty" for details.
>> This GDB was configured as "x86_64-linux-gnu".
>> Type "show configuration" for configuration details.
>> For bug reporting instructions, please see:
>> <http://www.gnu.org/software/gdb/bugs/>.
>> Find the GDB manual and other documentation resources online at:
>> <http://www.gnu.org/software/gdb/documentation/>.
>> For help, type "help".
>> Type "apropos word" to search for commands related to "word"...
>> Reading symbols from
>> /usr/local/stow/argus-3.0.7.5-debug/sbin/argus...done.
>> (gdb) run -r Teredo.pcap -w Teredo.arg3
>> Starting program: /usr/local/stow/argus-3.0.7.5-debug/sbin/argus -r
>> Teredo.pcap -w Teredo.arg3
>> [Thread debugging using libthread_db enabled]
>> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
>> [New Thread 0x7ffff6a81700 (LWP 22830)]
>> [New Thread 0x7ffff5df4700 (LWP 22831)]
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> [Switching to Thread 0x7ffff5df4700 (LWP 22831)]
>> ArgusCreateIPv4Flow (model=model at entry=0x7ffff7e0f010, ip=0x0) at
>> ArgusModeler.c:4076
>> 4076       unsigned char *nxtHdr = (unsigned char *)((char *)ip +
>> (ip->ip_hl << 2));
>> (gdb) where
>> #0  ArgusCreateIPv4Flow (model=model at entry=0x7ffff7e0f010, ip=0x0) at
>> ArgusModeler.c:4076
>> #1  0x000000000040cac1 in ArgusCreateFlow (model=model at entry=0x7ffff7e0f010,
>>
>>     ptr=ptr at entry=0x66ad44, length=length at entry=89) at
>> ArgusModeler.c:1861
>> #2  0x000000000040d3bd in ArgusProcessIpPacket (model=0x7ffff7e0f010,
>>     ip=ip at entry=0x66ad44, length=length at entry=89, tvp=tvp at entry
>> =0x7ffff5df3a40)
>>     at ArgusModeler.c:1675
>> #3  0x000000000040e17b in ArgusPppPacket (user=0x7ffff5e76010 "",
>> h=0x7ffff5df3b30,
>>     p=0x66ad40 "\377\003") at ArgusSource.c:3229
>> #4  0x00007ffff7bb8b71 in ?? () from
>> /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
>> #5  0x00000000004138a4 in ArgusGetPackets (arg=0x7ffff5e76010) at
>> ArgusSource.c:4113
>> #6  0x00007ffff7986182 in start_thread (arg=0x7ffff5df4700) at
>> pthread_create.c:312
>> #7  0x00007ffff719430d in clone () at
>> ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
>>
>>
>> --
>> Best Regards,
>>
>> CS Lee<geek00L[at]gmail.com>
>>
>> http://geek00l.blogspot.com
>> http://defcraft.com.my
>>
>>
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
>
>


-- 
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140425/ab39437e/attachment.html>


More information about the argus mailing list