headers
Lei Wei | 1 Feb 01:47
Picon
Favicon

Re: argus crash problem

Hey Carter,

I ran argus again without the -D option and it finally core dumped. The 
argus.core is about 350mb. Any comments on what we could do about this?

Thanks.
Lei

Quoting Carter Bullard <carter <at> qosient.com>:

> Hey Lei,
> You should print both spkts and dpkts, so you can see if you're  
> getting full-duplex
> flow monitoring.  Running with debug information is probably not going  to
> shed any light on the problem you ran into.   Run without the option  to see
> how argus performs on your system.  Depending on the type of dag card,  you
> could saturate the BUS around 2Gbps.  If you have the the PCI express  cards,
> you still may not get  10Gbps, depending on the motherboard you are  using.
>
> Just run without the "-D" option for a while to see if you get the 
> bug  again.
> Also try modifying the flow model using the /etc/argus.conf file to  see if
> you can get the pcu utilization down.
>
> Carter
>
>
> On Jan 30, 2008, at 5:25 PM, Lei Wei wrote:
>
>> You are right. I took a look at the flow. I could see some full tcp
(Continue reading)

Permalink | Reply | 10 comments |
headers
Carter Bullard | 1 Feb 04:11

Re: argus crash problem

If you compiled argus with the correct options, you can
run gdb() against the binary and the core file and it will
tell you what the problem was.

What happens when you run:
    gdb argus argus.core

?

Carter

On Jan 31, 2008, at 7:47 PM, Lei Wei wrote:

> Hey Carter,
>
> I ran argus again without the -D option and it finally core dumped.  
> The argus.core is about 350mb. Any comments on what we could do  
> about this?
>
> Thanks.
> Lei
>
>
> Quoting Carter Bullard <carter <at> qosient.com>:
>
>> Hey Lei,
>> You should print both spkts and dpkts, so you can see if you're   
>> getting full-duplex
>> flow monitoring.  Running with debug information is probably not  
>> going  to
(Continue reading)

Permalink | Reply | 9 comments |
headers
Carter Bullard | 1 Feb 04:28

Re: Compile Argus in cygwin

Hmmmmm, that's odd.  Try this patch, and see if you don't get something.
It will only print out the list if it has not been configured for any  
kind of
device, so be sure you don't have a /etc/argus.conf file with an
interface specified.

==== //depot/argus/argus/argus/ArgusSource.c#30 - /home/carter/argus/ 
argus/argus/ArgusSource.c ====
190c190
<          return;
---
 >          exit(1);

You can compile argus so that you can run it under gdb() and let it
tell you what is going on.

    % touch .devel .debug
    % ./configure;make clean;make
    % gdb bin/argus

    gdb) run

Carter

On Jan 31, 2008, at 5:15 PM, Ellis Lam wrote:

>
> Hi Carter,
>
> Yes, it compiled. But when I run the program, it doesn't display the
(Continue reading)

Permalink | Reply | 5 comments |
headers
Mathew Brown | 1 Feb 05:32
Favicon

Argus Documentation

Hi,
  Looking over the archives, I ran into a thread on Argus Documentation
  that was started a few months ago -
  https://lists.andrew.cmu.edu/mailman/private/argus-info/2007-October/001975.html
  and was wondering if any steps had been taken in this direction.  As
  CS Lee said: "As argus 3 introduces lots of new client tools, getting
  them explained using simple example can give everyone good kickstart
  instead of looking at the tool and trying to figure how to use them." 
  Being a newcomer to Argus, I totally agree.  Have any steps been taken
  in this direction?  Thanks.
-- 
  Mathew Brown
  mathewbrown <at> fastmail.fm

--

-- 
http://www.fastmail.fm - IMAP accessible web-mail
Permalink | Reply | 2 comments |
headers
Mathew Brown | 1 Feb 06:05
Favicon

ARGUSBug - Argus Seg Faults When Analyzing Wireless PCAP File

>Description:
	
Argus Seg Faults When Analyzing Wireless PCAP File

I ran into a pcap file when reading the article: "Wireless Forensics:
Tapping the Air - Part Two" -
http;//www.securityfocus.com/print/infocus/1885.  The actual pcap file
can be downloaded directly from here:
http://www.raulsiles.com/downloads/VoIP_roaming_session.zip  After
unzipping, running:

argus -r merged_voip_roaming_session.pcap -w
merged_voip_roaming_session.pcap.argus

would give me the error:

Segmentation Fault

>How-To-Repeat:

   See Description

>Fix:

   None that I know of.

>Submitter-Id:  None
>Originator:    mathewbrown <at> fastmail.fm
>Organization:	None
>ARGUS support: none
(Continue reading)

Permalink | Reply | 646 comments |
headers
Lei Wei | 1 Feb 05:48
Picon
Favicon

Re: argus crash problem

Hi Carter,

Here's after I run gdb on the core dump file:

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
Core was generated by `argus'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libwrap.so.3...done.
Loaded symbols for /usr/lib/libwrap.so.3
Reading symbols from /lib/libm.so.3...done.
Loaded symbols for /lib/libm.so.3
Reading symbols from /lib/libc.so.5...done.
Loaded symbols for /lib/libc.so.5
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0  0x0804e0a1 in ArgusProcessGreHdr (model=0x816f000, ip=0x2ccef828,   
  length=41) at ArgusModeler.c:694
694                    af = EXTRACT_16BITS(bp);
(gdb)

Thanks.
Lei

Quoting Carter Bullard <carter <at> qosient.com>:
(Continue reading)

Permalink | Reply | 8 comments |
headers
mel | 1 Feb 15:49

Re: Argus Documentation

Mathew Brown wrote:
> Hi,
>   Looking over the archives, I ran into a thread on Argus Documentation
>   that was started a few months ago -
>   https://lists.andrew.cmu.edu/mailman/private/argus-info/2007-October/001975.html
>   and was wondering if any steps had been taken in this direction.  As
>   CS Lee said: "As argus 3 introduces lots of new client tools, getting
>   them explained using simple example can give everyone good kickstart
>   instead of looking at the tool and trying to figure how to use them." 
>   Being a newcomer to Argus, I totally agree.  Have any steps been taken
>   in this direction?  Thanks.

I think a wiki-style documentation will be great, where the Argus user 
community can contribute. Not to step on Carter's shoes here, but I 
think he has enough on his plates at the moment.

What do you guys think? I can host it over at http://security.org.my

Cheers,

--mel
Permalink | Reply | 1 comment |
headers
Carter Bullard | 1 Feb 17:35

Re: argus crash problem

Hey Lei,
So, type this in gdb()>

    (gdb) where
    (gdb) print bp
    (gdb) print grelen
    (gdb) print flags
    (gdb) print model->ArgusSnapLength
    (gdb) print model->ArgusThisLength

That will help a lot.
Carter

On Jan 31, 2008, at 11:48 PM, Lei Wei wrote:

> Hi Carter,
>
> Here's after I run gdb on the core dump file:
>
> GNU gdb 6.1.1 [FreeBSD]
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and  
> you are
> welcome to change it and/or distribute copies of it under certain  
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for  
> details.
> This GDB was configured as "i386-marcel-freebsd"...
> Core was generated by `argus'.
(Continue reading)

Permalink | Reply | 7 comments |
headers
Carter Bullard | 1 Feb 19:17

Re: argus crash problem

Well, all the routines are saying that the packet data the dag
card is providing is "out of bounds".
Do this:

    (gdb) x/12x ip

And see what that does.

Carter

On Feb 1, 2008, at 12:01 PM, Lei Wei wrote:

> Hi Carter,
>
> Here's the result:
>
> (gdb) where
> #0  0x0804e0a1 in ArgusProcessGreHdr (model=0x816f000,  
> ip=0x2ccef828,    length=41) at ArgusModeler.c:694
> #1  0x0804dee4 in ArgusProcessPacketHdrs (model=0x816f000,     
> p=0x2ccef828 <Address 0x2ccef828 out of bounds>, length=61, type=2048)
>   at ArgusModeler.c:606
> #2  0x0804f041 in ArgusProcessPacket (src=0x81b2000,    p=0x2ccef81a  
> <Address 0x2ccef81a out of bounds>, length=75, tvp=0x82073d0,     
> type=2048) at ArgusModeler.c:1220
> #3  0x08056622 in ArgusEtherPacket (user=0x81b2000 "",  
> h=0x82073d0,    p=0x2ccef81a <Address 0x2ccef81a out of bounds>) at  
> ArgusSource.c:700
> #4  0x08058be5 in ArgusGetPackets (src=0x81b2000) at ArgusSource.c: 
> 1834
(Continue reading)

Permalink | Reply | 5 comments |
headers
Carter Bullard | 1 Feb 18:14

Re: Argus Documentation

We already have a wiki site on vorant, but little contributed.

    http://www.vorant.com/nsmwiki/index.php?title=Argus

I started to write a bunch a few months ago, but somehow i lost
the pages of stuff I had written because of interface failure, and
I haven't been back since.

The web hosting service that serves up the argus home pages
is offering 'movable type 4' software pretty cheap which I could run
as an "official" argus blog, but I have no experience doing that.

Carter

On Feb 1, 2008, at 9:49 AM, mel wrote:

> Mathew Brown wrote:
>> Hi,
>>  Looking over the archives, I ran into a thread on Argus  
>> Documentation
>>  that was started a few months ago -
>>  https://lists.andrew.cmu.edu/mailman/private/argus-info/2007-October/001975.html
>>  and was wondering if any steps had been taken in this direction.  As
>>  CS Lee said: "As argus 3 introduces lots of new client tools,  
>> getting
>>  them explained using simple example can give everyone good kickstart
>>  instead of looking at the tool and trying to figure how to use  
>> them."   Being a newcomer to Argus, I totally agree.  Have any  
>> steps been taken
>>  in this direction?  Thanks.
(Continue reading)

Permalink | Reply | 0 comments |

Gmane