[ARGUS] argus 5 ethernet parse error
Carter Bullard
carter at qosient.com
Thu Oct 17 21:17:24 EDT 2024
Hey Ming,
I'll look into it tomorrow !!
Carter
> On Oct 17, 2024, at 9:15 PM, Ming Fu via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
>
> Hi,
>
> I noticed that the argus 5.0.0 can crash with an odd Ethernet head.
> I tried the argus from the head of repo as of today, the code crash at the same location.
>
> (gdb) where
> #0 0x000055555556baad in ArgusCreateIPv4Flow ()
> #1 0x000055555556c6bd in ArgusCreateFlow ()
> #2 0x000055555556c985 in ArgusProcessPacket ()
> #3 0x0000555555570c64 in ArgusEtherPacket ()
> #4 0x00007ffff7f7cb95 in ?? () from /lib/x86_64-linux-gnu/libpcap.so.0.8
> #5 0x00007ffff7f7d004 in ?? () from /lib/x86_64-linux-gnu/libpcap.so.0.8
> #6 0x00005555555752cd in ArgusGetPackets ()
> #7 0x00007ffff7f56609 in start_thread (arg=<optimized out>) at pthread_create.c:477
> #8 0x00007ffff7d04353 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
>
> Looks like the odd ether type caused argus to not fill the IP address when calling into the in ArgusCreateIPv4Flow()
>
> I attached a small pcap file, the second packet is the one that can crash the argus. It has an ether type of 0x0056 rather than the usual 0x8000.
>
> Regards,
> Ming
>
>
>
>
>
>
> <twopacket.pcap>
More information about the argus
mailing list