argus ppp traffic

Carter Bullard carter at qosient.com
Sat Apr 26 14:46:09 EDT 2014 

Hey CS Lee,
So I couldn’t remember my pcapr.net password, and so I had to reset it,
but no joy, I haven’t received any email with the reset password in
2 days now.

Can you send me a copy of the file ??

Carter

On Apr 25, 2014, at 8:52 AM, CS Lee <geek00l at gmail.com> wrote:

> hi Carter,
> 
> Not too sure, I have examined it via wireshark just now and it seems to be valid ppp packets.
> 
> 
> On Fri, Apr 25, 2014 at 8:50 PM, Carter Bullard <carter at qosient.com> wrote:
> OK, I'll grab the file and take a look.  Maybe a truncated packet...definately a bug !!
> Carter
> 
> On Apr 25, 2014, at 5:47 AM, CS Lee <geek00l at gmail.com> wrote:
> 
>> hi Carter,
>> 
>> Same, I have tested both and the segfault happens.
>> 
>> 
>> On Fri, Apr 25, 2014 at 8:46 PM, Carter Bullard <carter at qosient.com> wrote:
>> Hey CS Lee,
>> If you turn TD off, does it get better ???
>> Carter
>> 
>> Carter Bullard, QoSient, LLC
>> 150 E. 57th Street Suite 12D
>> New York, New York 10022
>> +1 212 588-9133 Phone
>> +1 212 588-9134 Fax
>> 
>> On Apr 24, 2014, at 6:49 PM, CS Lee <geek00l at gmail.com> wrote:
>> 
>>> hi Carter, 
>>> 
>>> Yes, I have enabled tunnel discovery in argus.conf but still segfault, I tried it with other dump and it seems to work. For this Teredo.pcap, the header started with 
>>> 
>>> FF03 0021 and that should be ipv4 over ppp.
>>> 
>>> 
>>> On Fri, Apr 25, 2014 at 9:16 AM, Carter Bullard <carter at qosient.com> wrote:
>>> Hey CS Lee,
>>> do you have tunnel discovery on in your argus.conf file ???
>>> the file name suggests that its teredo, which we will try to parse if that option is " yes ".
>>> Carter
>>> 
>>> On Apr 24, 2014, at 4:17 PM, CS Lee <geek00l at gmail.com> wrote:
>>> 
>>>> hi Carter,
>>>> 
>>>> I downloaded the pcap from pcapr.net - 
>>>> 
>>>> http://www.pcapr.net/view/tyson.key/2009/9/3/13/Teredo.pcap.html
>>>> 
>>>> And I run into segfault when convert the packets into flow, it seems that it is ppp encapsulated traffic -
>>>> 
>>>> gdb /usr/local/stow/argus-3.0.7.5-debug/sbin/argus 
>>>> GNU gdb (Ubuntu 7.7-0ubuntu3) 7.7
>>>> Copyright (C) 2014 Free Software Foundation, Inc.
>>>> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
>>>> This is free software: you are free to change and redistribute it.
>>>> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
>>>> and "show warranty" for details.
>>>> This GDB was configured as "x86_64-linux-gnu".
>>>> Type "show configuration" for configuration details.
>>>> For bug reporting instructions, please see:
>>>> <http://www.gnu.org/software/gdb/bugs/>.
>>>> Find the GDB manual and other documentation resources online at:
>>>> <http://www.gnu.org/software/gdb/documentation/>.
>>>> For help, type "help".
>>>> Type "apropos word" to search for commands related to "word"...
>>>> Reading symbols from /usr/local/stow/argus-3.0.7.5-debug/sbin/argus...done.
>>>> (gdb) run -r Teredo.pcap -w Teredo.arg3
>>>> Starting program: /usr/local/stow/argus-3.0.7.5-debug/sbin/argus -r Teredo.pcap -w Teredo.arg3
>>>> [Thread debugging using libthread_db enabled]
>>>> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
>>>> [New Thread 0x7ffff6a81700 (LWP 22830)]
>>>> [New Thread 0x7ffff5df4700 (LWP 22831)]
>>>> 
>>>> Program received signal SIGSEGV, Segmentation fault.
>>>> [Switching to Thread 0x7ffff5df4700 (LWP 22831)]
>>>> ArgusCreateIPv4Flow (model=model at entry=0x7ffff7e0f010, ip=0x0) at ArgusModeler.c:4076
>>>> 4076       unsigned char *nxtHdr = (unsigned char *)((char *)ip + (ip->ip_hl << 2));
>>>> (gdb) where
>>>> #0  ArgusCreateIPv4Flow (model=model at entry=0x7ffff7e0f010, ip=0x0) at ArgusModeler.c:4076
>>>> #1  0x000000000040cac1 in ArgusCreateFlow (model=model at entry=0x7ffff7e0f010, 
>>>>     ptr=ptr at entry=0x66ad44, length=length at entry=89) at ArgusModeler.c:1861
>>>> #2  0x000000000040d3bd in ArgusProcessIpPacket (model=0x7ffff7e0f010, 
>>>>     ip=ip at entry=0x66ad44, length=length at entry=89, tvp=tvp at entry=0x7ffff5df3a40)
>>>>     at ArgusModeler.c:1675
>>>> #3  0x000000000040e17b in ArgusPppPacket (user=0x7ffff5e76010 "", h=0x7ffff5df3b30, 
>>>>     p=0x66ad40 "\377\003") at ArgusSource.c:3229
>>>> #4  0x00007ffff7bb8b71 in ?? () from /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
>>>> #5  0x00000000004138a4 in ArgusGetPackets (arg=0x7ffff5e76010) at ArgusSource.c:4113
>>>> #6  0x00007ffff7986182 in start_thread (arg=0x7ffff5df4700) at pthread_create.c:312
>>>> #7  0x00007ffff719430d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
>>>> 
>>>> 
>>>> -- 
>>>> Best Regards,
>>>> 
>>>> CS Lee<geek00L[at]gmail.com>
>>>> 
>>>> http://geek00l.blogspot.com
>>>> http://defcraft.com.my
>>> 
>>> 
>>> 
>>> -- 
>>> Best Regards,
>>> 
>>> CS Lee<geek00L[at]gmail.com>
>>> 
>>> http://geek00l.blogspot.com
>>> http://defcraft.net
>> 
>> 
>> 
>> -- 
>> Best Regards,
>> 
>> CS Lee<geek00L[at]gmail.com>
>> 
>> http://geek00l.blogspot.com
>> http://defcraft.net
> 
> 
> 
> -- 
> Best Regards,
> 
> CS Lee<geek00L[at]gmail.com>
> 
> http://geek00l.blogspot.com
> http://defcraft.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140426/54ba3c28/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140426/54ba3c28/attachment.bin>

More information about the argus mailing list