headers
Jochen Haemmerle | 4 Jul 23:34

no smac an dmac with ubuntu

Hi,

I discovered a strange problem with argus and ubuntu (7.10 and 8.04).
I use argus to create an "argus.dump" file

argus -r pcapfile -w argus.dump

If I then use ra to show mit saddr smac daddr and dmac it only shows saddr
and daddr and reports that the smac and dmac are empty.

ra -M xml -r argus.dump

Here comes the strange thing. If I create the argus.dump file with my
Debian (unstable) machine then ra displays everything as expected.
Therefore I guess there's something wrong with my argus binary, but what?

I use argus-3.0.0 build from source using the libpcap and the other
dependencies from the package management (libpcap 0.9.8).

Is there anything wrong with ubuntu?

regards
Jochen
Permalink | Reply | 1 comment |
headers
Peter Van Epp | 4 Jul 23:56
Picon
Picon
Favicon
Gravatar

Re: no smac an dmac with ubuntu

On Fri, Jul 04, 2008 at 11:34:27PM +0200, Jochen Haemmerle wrote:
> Hi,
> 
> I discovered a strange problem with argus and ubuntu (7.10 and 8.04).
> I use argus to create an "argus.dump" file
> 
> argus -r pcapfile -w argus.dump
> 
> If I then use ra to show mit saddr smac daddr and dmac it only shows saddr
> and daddr and reports that the smac and dmac are empty.
> 
> ra -M xml -r argus.dump
> 
> Here comes the strange thing. If I create the argus.dump file with my
> Debian (unstable) machine then ra displays everything as expected.
> Therefore I guess there's something wrong with my argus binary, but what?
> 
> I use argus-3.0.0 build from source using the libpcap and the other
> dependencies from the package management (libpcap 0.9.8).
> 
> Is there anything wrong with ubuntu?
> 
> regards
> Jochen

	Nope, working as designed. You need to add the -m flag to the argus
instance (or enable macs in the config file). By default MAC information isn't
captured ... (been there, been bitten by this :-)). 

Peter Van Epp / Operations and Technical Support
(Continue reading)

Permalink | Reply | 0 comments |
headers
Carter Bullard | 5 Jul 17:32

-S option

Hey Barry,
Lets keep these exchanges on the list, as it can help many and gets into the archive.
OK, the "-S argusSource" option assumes that there is an argus or radium 
running on the designated machine, and because there is no port specified, it
will port 561, the default "experimental monitor" port.

So make sure there is an argus running on the machines your interested in,
and make sure that they are using the default port number.  If they are not
configured to use the default port, then you will need to specify their port.

   ra -S host:port

Usually this means that you are interested in real-time flow data, and connecting to
either argus or radium will give you a constant data, as it is being generated.
When argus and radium are used to playback historical data in a simulation
style of playback, (using the "-M realtime" option, and given a data source
from a file or set of files), you can still attach to either of them using this method.

If you want to read argus data from files, using ra(), you can only read them from
your local filesystem.  Of course, the files can be local or remote, depending on
how your host filesystem is configured, but the filesystem is providing the remote
access.

If you have an argus archive, radium() provides a method for you to access
the data.  If radium() is running on the archive machine you can simply provide
the pathname to the -S option, and get radium() to fetch the file for you.

Lets assume that radium() is running on host "host", using port 12345 (so you don't
have to be root to provide this port access), and the archive is at /path/to/the/argus/data

   host%  radium -XP 12345 -d

Then on another host, you can read argus data files this way:

   host2%  ra -S host:12345/path/to/the/argus/data/file

The difference between this and say scp() or ftp() or some other file transfer
method, is that radium() guarantees that the only data that it will transfer is
argus data. (it parses the file as argus data, and resends it only as argus data).
Because radium() can be chroot'd and it can also provide strong authentication
and encryption for transport of data on the wire, you can build a secure archive
that no-one can get to except through the radium() interface, so you can audit
who gets what argus data.

I know this is more than you were expecting, but always nice to get this stuff
into the mail archive.

If I missed something, please send more mail.

Carter



On Jul 5, 2008, at 10:47 AM, Barry Kolts wrote:

Hi Carter,
 
Thanks for your response, raspilt() is just what I need for several things on the to-do list. I do have one question though. I understand I should be able to use rasplit() as the data comes in and that the "-S" will allow me to get data from a remote machine. I also gather I can use "-S" to get data from the local machine from some of the posts I see on the mailing list. wikis, other posts and blogs. How ever I don't seem to be doing it right. If I use "-S localhost" I get "connection refused" and if I use "-S <local machine IP>" I get "connection failed. What am I doing wrong or what other information do you need to help me.
 
Thanks for your time,
Barry
----- Original Message -----
Sent: Monday, June 30, 2008 9:17 AM
Subject: Re: [ARGUS] -t Option in Racluster

Hey Barry,
The way that I do this is to use rasplit() to put data as it comes in, into a data
archive that is based on year/month/day, and then use cron to fire up a report
generator on the first day of the month.

   rasplit -S argusSource -M time 5m -w /archivePath/%Y/%m/%d/argus.%Y.%m.%d.%H.%M.%S

The data from my argus source would be written into this file, right now,
as /path/2008/06/30/argus.2008.06.30.09.55.00 and starting at 10am it would start
writing data into /path/200806/30argus.2008.06.30.10.00.00.

When its time to generate a report, you can just run a program like ra() to feed data
into your report generator (assuming it likes ascii input):

   ra -R /path/2008/06 | reportScript

This is not the most efficient way, but it highlights how you can build a repository that
fits your reporting strategy and how ra* programs can work off of whole repositories
at a time. 

Racluster will have some problems processing a whole months worth of data at a time
if you are a university, but for a small workgroup, a month is usually no problem.
However, you can usually generate daily intermediate reports, and if you do it right,
racluster only needs to process the daily intermediates to generate weekly and monthly
report data.

But to get to your specific question,  the time filter can be specific, wildcarded etc..... in
a lot of ways.

If you want to go back to the beginning of the previous month (because -1M goes to the
beginning of the current month):
   racluster -t -2M+1M

Its the same algorithm as
   racluster -t -2d+1d

Wildcards like this maybe more useful:
   racluster -t 2008/06

which should match any records that fall into June, of 2008.

I didn't put in 'w'eeks, as that seems confusing for some people (which week?),
but filters like "-21w+10s" are useful in that they give you the first 10 seconds
of some week, (hard to know which one).  But its easy to put it in.

Carter

On Jun 27, 2008, at 11:36 PM, Barry Kolts wrote:

Hi,
 
Using Racluster I would like to specify last month for the -t option. I have tried -t -1M but that gives me the current month. Since my data is less than a month old it is difficult for me to play around with -t. I wouldn't know if I got it right because I don't have data that old. My goal is to produce reports on the first of the month for the previous month automatically. Something like -t -1M would make life simple but if it isn't possible I can build the command from a script.
 
Thanks in advance for any help,
Barry



Permalink | Reply | 0 comments |
headers
Will Metcalf | 7 Jul 17:07
Picon
Gravatar

segv in argus with latest pf_fring enabled lipcap

I updated to the latest version of pf_ring enabled libpcap, which
implements the ability to set a per process bucket len that is based
on caplen from libpcap.  When compiling Argus against this lib it
segv's after logging a couple of flows Anybody have any ideas?
Regards,

Will

gdb /usr/sbin/argus core.4729
GNU gdb Red Hat Linux (6.5-37.el5_2.2rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host
libthread_db library "/lib/libthread_db.so.1".

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libpcap.so.0.9.7...done.
Loaded symbols for /usr/lib/libpcap.so.0.9.7
Reading symbols from /usr/lib/libpfring.so...done.
Loaded symbols for /usr/lib/libpfring.so
Reading symbols from /lib/libpthread.so.0...done.
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/libwrap.so.0...done.
Loaded symbols for /usr/lib/libwrap.so.0
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Core was generated by `/usr/sbin/argus -d -J -w
/var/log/argusoutput.ra -i eth0'.
Program terminated with signal 11, Segmentation fault.
#0  ArgusCreateIPv4Flow (model=0x8bde008, ip=0x0) at ArgusModeler.c:3627
3627       unsigned char *nxtHdr = (unsigned char *)((char *)ip +
(ip->ip_hl << 2));
(gdb) bt full
#0  ArgusCreateIPv4Flow (model=0x8bde008, ip=0x0) at ArgusModeler.c:3627
       nxtHdr = <value optimized out>
       sport = <value optimized out>
       dport = <value optimized out>
       proto = <value optimized out>
       len = <value optimized out>
       hlen = <value optimized out>
       ArgusOptionLen = <value optimized out>
#1  0x08053273 in ArgusProcessPacket (src=0xb7ea8008, p=0x8bdf2f0
"������", length=251, tvp=0xbffd8344, type=-1) at ArgusModeler.c:1257
       tsbuf = {tv_sec = 1953653108, tv_nsec = -1073904964}
       tdiff = 4294967392
       rtdiff = <value optimized out>
       tvalue = <value optimized out>
       model = (struct ArgusModelerStruct *) 0x8bde008
       flow = <value optimized out>
       nflow = <value optimized out>
       ptr = 0x8bdf2f0 "������"
       value = 0
       retn = <value optimized out>
#2  0x080554de in ArgusEtherPacket (user=0xb7ea8008 "", h=0x8bdf2c4,
p=0x8bdf2f0 "������") at ArgusSource.c:716
       caplen = 96
       length = 251
       tvpbuf = {tv_sec = 1215442055, tv_usec = 648975}
       statbuf = {st_dev = 65522, __pad1 = 0, __st_ino = 0, st_mode =
0, st_nlink = 0, st_uid = 469434368, st_gid = 4327000, st_rdev =
18344976773382976, __pad2 = 2064, st_size = 4294967296,
 st_blksize = 107793408, st_blocks = 4147592, st_atim = {tv_sec = 0,
tv_nsec = -1073904808}, st_mtim = {tv_sec = 4003570, tv_nsec =
146665712}, st_ctim = {tv_sec = 1, tv_nsec = 4001120},
 st_ino = 13834360246576710476}
#3  0x08056f38 in ArgusGetPackets (src=0xb7ea8008) at ArgusSource.c:2139
       pkt_data = (const u_char *) 0x8bdf2f0 "������"
       pkts = 840
       cnt = 1
       header = (struct pcap_pkthdr *) 0x8bdf2c4
       retn = <value optimized out>
       ArgusReadMask = {__fds_bits = {0 <repeats 32 times>}}
       ArgusWriteMask = {__fds_bits = {0 <repeats 32 times>}}
       ArgusExceptMask = {__fds_bits = {0 <repeats 32 times>}}
       tmp = <value optimized out>
       i = 0
       width = 1
       noerror = 1
       fd = <value optimized out>
       found = 1
       up = 1
       notselectable = 0
       fds = {1, -1, -1, -1, -1}
       wait = {tv_sec = 0, tv_usec = 0}
#4  0x0804c422 in main (argc=7, argv=0xbffd8ab4) at argus.c:530
       eptr = 0x7 <Address 0x7 out of bounds>
       ptr = 0xb7f3c708 "�\aB"
       commandlinew = 1
       doconf = 0
       i = 7
       pid = <value optimized out>
       tmparg = <value optimized out>
       filter = <value optimized out>
---Type <return> to continue, or q <return> to quit---
       statbuf = {st_dev = 64768, __pad1 = 0, __st_ino = 43156691,
st_mode = 33188, st_nlink = 1, st_uid = 0, st_gid = 0, st_rdev = 0,
__pad2 = 0, st_size = 12807, st_blksize = 4096, st_blocks = 40,
 st_atim = {tv_sec = 1215441879, tv_nsec = 0}, st_mtim = {tv_sec =
1215122542, tv_nsec = 0}, st_ctim = {tv_sec = 1215122628, tv_nsec =
0}, st_ino = 43156691}
       op = <value optimized out>
       commandlinei = 1
       path = "/etc/argus.conf", '\0' <repeats 8176 times>
#5  0x00438dec in __libc_start_main () from /lib/libc.so.6
No symbol table info available.
#6  0x0804a4b1 in _start ()
No symbol table info available.
(gdb)
Permalink | Reply | 11 comments |
headers
Carter Bullard | 7 Jul 18:00

Re: segv in argus with latest pf_fring enabled lipcap

Hey Will,
Maybe an alignment problem. What happens when
you print the ip header in gdb?

(gdb) print ip
(gdb) print *ip

you may need to remove the -O directive in the ./argus/Makefile
so that gdb doesn't optimize out the local variables, so we can
see what argus has done.

So what kind of machine is this?

Carter

On Jul 7, 2008, at 11:07 AM, Will Metcalf wrote:

> I updated to the latest version of pf_ring enabled libpcap, which
> implements the ability to set a per process bucket len that is based
> on caplen from libpcap.  When compiling Argus against this lib it
> segv's after logging a couple of flows Anybody have any ideas?
> Regards,
>
> Will
>
>
>
> gdb /usr/sbin/argus core.4729
> GNU gdb Red Hat Linux (6.5-37.el5_2.2rh)
> Copyright (C) 2006 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and  
> you are
> welcome to change it and/or distribute copies of it under certain  
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for  
> details.
> This GDB was configured as "i386-redhat-linux-gnu"...Using host
> libthread_db library "/lib/libthread_db.so.1".
>
>
> warning: Can't read pathname for load map: Input/output error.
> Reading symbols from /usr/lib/libpcap.so.0.9.7...done.
> Loaded symbols for /usr/lib/libpcap.so.0.9.7
> Reading symbols from /usr/lib/libpfring.so...done.
> Loaded symbols for /usr/lib/libpfring.so
> Reading symbols from /lib/libpthread.so.0...done.
> Loaded symbols for /lib/libpthread.so.0
> Reading symbols from /usr/lib/libwrap.so.0...done.
> Loaded symbols for /usr/lib/libwrap.so.0
> Reading symbols from /lib/libnsl.so.1...done.
> Loaded symbols for /lib/libnsl.so.1
> Reading symbols from /lib/libm.so.6...done.
> Loaded symbols for /lib/libm.so.6
> Reading symbols from /lib/libc.so.6...done.
> Loaded symbols for /lib/libc.so.6
> Reading symbols from /lib/ld-linux.so.2...done.
> Loaded symbols for /lib/ld-linux.so.2
> Reading symbols from /lib/libnss_files.so.2...done.
> Loaded symbols for /lib/libnss_files.so.2
> Core was generated by `/usr/sbin/argus -d -J -w
> /var/log/argusoutput.ra -i eth0'.
> Program terminated with signal 11, Segmentation fault.
> #0  ArgusCreateIPv4Flow (model=0x8bde008, ip=0x0) at ArgusModeler.c: 
> 3627
> 3627       unsigned char *nxtHdr = (unsigned char *)((char *)ip +
> (ip->ip_hl << 2));
> (gdb) bt full
> #0  ArgusCreateIPv4Flow (model=0x8bde008, ip=0x0) at ArgusModeler.c: 
> 3627
>       nxtHdr = <value optimized out>
>       sport = <value optimized out>
>       dport = <value optimized out>
>       proto = <value optimized out>
>       len = <value optimized out>
>       hlen = <value optimized out>
>       ArgusOptionLen = <value optimized out>
> #1  0x08053273 in ArgusProcessPacket (src=0xb7ea8008, p=0x8bdf2f0
> "������", length=251, tvp=0xbffd8344, type=-1) at  
> ArgusModeler.c:1257
>       tsbuf = {tv_sec = 1953653108, tv_nsec = -1073904964}
>       tdiff = 4294967392
>       rtdiff = <value optimized out>
>       tvalue = <value optimized out>
>       model = (struct ArgusModelerStruct *) 0x8bde008
>       flow = <value optimized out>
>       nflow = <value optimized out>
>       ptr = 0x8bdf2f0 "������"
>       value = 0
>       retn = <value optimized out>
> #2  0x080554de in ArgusEtherPacket (user=0xb7ea8008 "", h=0x8bdf2c4,
> p=0x8bdf2f0 "������") at ArgusSource.c:716
>       caplen = 96
>       length = 251
>       tvpbuf = {tv_sec = 1215442055, tv_usec = 648975}
>       statbuf = {st_dev = 65522, __pad1 = 0, __st_ino = 0, st_mode =
> 0, st_nlink = 0, st_uid = 469434368, st_gid = 4327000, st_rdev =
> 18344976773382976, __pad2 = 2064, st_size = 4294967296,
> st_blksize = 107793408, st_blocks = 4147592, st_atim = {tv_sec = 0,
> tv_nsec = -1073904808}, st_mtim = {tv_sec = 4003570, tv_nsec =
> 146665712}, st_ctim = {tv_sec = 1, tv_nsec = 4001120},
> st_ino = 13834360246576710476}
> #3  0x08056f38 in ArgusGetPackets (src=0xb7ea8008) at ArgusSource.c: 
> 2139
>       pkt_data = (const u_char *) 0x8bdf2f0 "������"
>       pkts = 840
>       cnt = 1
>       header = (struct pcap_pkthdr *) 0x8bdf2c4
>       retn = <value optimized out>
>       ArgusReadMask = {__fds_bits = {0 <repeats 32 times>}}
>       ArgusWriteMask = {__fds_bits = {0 <repeats 32 times>}}
>       ArgusExceptMask = {__fds_bits = {0 <repeats 32 times>}}
>       tmp = <value optimized out>
>       i = 0
>       width = 1
>       noerror = 1
>       fd = <value optimized out>
>       found = 1
>       up = 1
>       notselectable = 0
>       fds = {1, -1, -1, -1, -1}
>       wait = {tv_sec = 0, tv_usec = 0}
> #4  0x0804c422 in main (argc=7, argv=0xbffd8ab4) at argus.c:530
>       eptr = 0x7 <Address 0x7 out of bounds>
>       ptr = 0xb7f3c708 "�\aB"
>       commandlinew = 1
>       doconf = 0
>       i = 7
>       pid = <value optimized out>
>       tmparg = <value optimized out>
>       filter = <value optimized out>
> ---Type <return> to continue, or q <return> to quit---
>       statbuf = {st_dev = 64768, __pad1 = 0, __st_ino = 43156691,
> st_mode = 33188, st_nlink = 1, st_uid = 0, st_gid = 0, st_rdev = 0,
> __pad2 = 0, st_size = 12807, st_blksize = 4096, st_blocks = 40,
> st_atim = {tv_sec = 1215441879, tv_nsec = 0}, st_mtim = {tv_sec =
> 1215122542, tv_nsec = 0}, st_ctim = {tv_sec = 1215122628, tv_nsec =
> 0}, st_ino = 43156691}
>       op = <value optimized out>
>       commandlinei = 1
>       path = "/etc/argus.conf", '\0' <repeats 8176 times>
> #5  0x00438dec in __libc_start_main () from /lib/libc.so.6
> No symbol table info available.
> #6  0x0804a4b1 in _start ()
> No symbol table info available.
> (gdb)
Permalink | Reply | 10 comments |
headers
Will Metcalf | 7 Jul 19:09
Picon
Gravatar

Re: segv in argus with latest pf_fring enabled lipcap

I will have to recompile to get you the unoptimized output. The
machine is CentOS5.2 with a pf_ring enabled kernel, and pf_ring
enabled libpcap. http://www.ntop.org/PF_RING.html  I should have
stated earlier that snort, daemonlogger ,and ntop all work ok compiled
against this lib :-(....

(gdb) print ip
$1 = (struct ip *) 0x0
(gdb) print *ip
Cannot access memory at address 0x0
(gdb)

On Mon, Jul 7, 2008 at 11:00 AM, Carter Bullard <carter <at> qosient.com> wrote:
> Hey Will,
> Maybe an alignment problem. What happens when
> you print the ip header in gdb?
>
> (gdb) print ip
> (gdb) print *ip
>
> you may need to remove the -O directive in the ./argus/Makefile
> so that gdb doesn't optimize out the local variables, so we can
> see what argus has done.
>
> So what kind of machine is this?
>
> Carter
>
> On Jul 7, 2008, at 11:07 AM, Will Metcalf wrote:
>
>> I updated to the latest version of pf_ring enabled libpcap, which
>> implements the ability to set a per process bucket len that is based
>> on caplen from libpcap.  When compiling Argus against this lib it
>> segv's after logging a couple of flows Anybody have any ideas?
>> Regards,
>>
>> Will
>>
>>
>>
>> gdb /usr/sbin/argus core.4729
>> GNU gdb Red Hat Linux (6.5-37.el5_2.2rh)
>> Copyright (C) 2006 Free Software Foundation, Inc.
>> GDB is free software, covered by the GNU General Public License, and you
>> are
>> welcome to change it and/or distribute copies of it under certain
>> conditions.
>> Type "show copying" to see the conditions.
>> There is absolutely no warranty for GDB.  Type "show warranty" for
>> details.
>> This GDB was configured as "i386-redhat-linux-gnu"...Using host
>> libthread_db library "/lib/libthread_db.so.1".
>>
>>
>> warning: Can't read pathname for load map: Input/output error.
>> Reading symbols from /usr/lib/libpcap.so.0.9.7...done.
>> Loaded symbols for /usr/lib/libpcap.so.0.9.7
>> Reading symbols from /usr/lib/libpfring.so...done.
>> Loaded symbols for /usr/lib/libpfring.so
>> Reading symbols from /lib/libpthread.so.0...done.
>> Loaded symbols for /lib/libpthread.so.0
>> Reading symbols from /usr/lib/libwrap.so.0...done.
>> Loaded symbols for /usr/lib/libwrap.so.0
>> Reading symbols from /lib/libnsl.so.1...done.
>> Loaded symbols for /lib/libnsl.so.1
>> Reading symbols from /lib/libm.so.6...done.
>> Loaded symbols for /lib/libm.so.6
>> Reading symbols from /lib/libc.so.6...done.
>> Loaded symbols for /lib/libc.so.6
>> Reading symbols from /lib/ld-linux.so.2...done.
>> Loaded symbols for /lib/ld-linux.so.2
>> Reading symbols from /lib/libnss_files.so.2...done.
>> Loaded symbols for /lib/libnss_files.so.2
>> Core was generated by `/usr/sbin/argus -d -J -w
>> /var/log/argusoutput.ra -i eth0'.
>> Program terminated with signal 11, Segmentation fault.
>> #0  ArgusCreateIPv4Flow (model=0x8bde008, ip=0x0) at ArgusModeler.c:3627
>> 3627       unsigned char *nxtHdr = (unsigned char *)((char *)ip +
>> (ip->ip_hl << 2));
>> (gdb) bt full
>> #0  ArgusCreateIPv4Flow (model=0x8bde008, ip=0x0) at ArgusModeler.c:3627
>>      nxtHdr = <value optimized out>
>>      sport = <value optimized out>
>>      dport = <value optimized out>
>>      proto = <value optimized out>
>>      len = <value optimized out>
>>      hlen = <value optimized out>
>>      ArgusOptionLen = <value optimized out>
>> #1  0x08053273 in ArgusProcessPacket (src=0xb7ea8008, p=0x8bdf2f0
>> "������", length=251, tvp=0xbffd8344, type=-1) at ArgusModeler.c:1257
>>      tsbuf = {tv_sec = 1953653108, tv_nsec = -1073904964}
>>      tdiff = 4294967392
>>      rtdiff = <value optimized out>
>>      tvalue = <value optimized out>
>>      model = (struct ArgusModelerStruct *) 0x8bde008
>>      flow = <value optimized out>
>>      nflow = <value optimized out>
>>      ptr = 0x8bdf2f0 "������"
>>      value = 0
>>      retn = <value optimized out>
>> #2  0x080554de in ArgusEtherPacket (user=0xb7ea8008 "", h=0x8bdf2c4,
>> p=0x8bdf2f0 "������") at ArgusSource.c:716
>>      caplen = 96
>>      length = 251
>>      tvpbuf = {tv_sec = 1215442055, tv_usec = 648975}
>>      statbuf = {st_dev = 65522, __pad1 = 0, __st_ino = 0, st_mode =
>> 0, st_nlink = 0, st_uid = 469434368, st_gid = 4327000, st_rdev =
>> 18344976773382976, __pad2 = 2064, st_size = 4294967296,
>> st_blksize = 107793408, st_blocks = 4147592, st_atim = {tv_sec = 0,
>> tv_nsec = -1073904808}, st_mtim = {tv_sec = 4003570, tv_nsec =
>> 146665712}, st_ctim = {tv_sec = 1, tv_nsec = 4001120},
>> st_ino = 13834360246576710476}
>> #3  0x08056f38 in ArgusGetPackets (src=0xb7ea8008) at ArgusSource.c:2139
>>      pkt_data = (const u_char *) 0x8bdf2f0 "������"
>>      pkts = 840
>>      cnt = 1
>>      header = (struct pcap_pkthdr *) 0x8bdf2c4
>>      retn = <value optimized out>
>>      ArgusReadMask = {__fds_bits = {0 <repeats 32 times>}}
>>      ArgusWriteMask = {__fds_bits = {0 <repeats 32 times>}}
>>      ArgusExceptMask = {__fds_bits = {0 <repeats 32 times>}}
>>      tmp = <value optimized out>
>>      i = 0
>>      width = 1
>>      noerror = 1
>>      fd = <value optimized out>
>>      found = 1
>>      up = 1
>>      notselectable = 0
>>      fds = {1, -1, -1, -1, -1}
>>      wait = {tv_sec = 0, tv_usec = 0}
>> #4  0x0804c422 in main (argc=7, argv=0xbffd8ab4) at argus.c:530
>>      eptr = 0x7 <Address 0x7 out of bounds>
>>      ptr = 0xb7f3c708 "�\aB"
>>      commandlinew = 1
>>      doconf = 0
>>      i = 7
>>      pid = <value optimized out>
>>      tmparg = <value optimized out>
>>      filter = <value optimized out>
>> ---Type <return> to continue, or q <return> to quit---
>>      statbuf = {st_dev = 64768, __pad1 = 0, __st_ino = 43156691,
>> st_mode = 33188, st_nlink = 1, st_uid = 0, st_gid = 0, st_rdev = 0,
>> __pad2 = 0, st_size = 12807, st_blksize = 4096, st_blocks = 40,
>> st_atim = {tv_sec = 1215441879, tv_nsec = 0}, st_mtim = {tv_sec =
>> 1215122542, tv_nsec = 0}, st_ctim = {tv_sec = 1215122628, tv_nsec =
>> 0}, st_ino = 43156691}
>>      op = <value optimized out>
>>      commandlinei = 1
>>      path = "/etc/argus.conf", '\0' <repeats 8176 times>
>> #5  0x00438dec in __libc_start_main () from /lib/libc.so.6
>> No symbol table info available.
>> #6  0x0804a4b1 in _start ()
>> No symbol table info available.
>> (gdb)
>
>
Permalink | Reply | 9 comments |
headers
Peter Van Epp | 7 Jul 19:33
Picon
Picon
Favicon
Gravatar

Re: segv in argus with latest pf_fring enabled lipcap

On Mon, Jul 07, 2008 at 12:09:54PM -0500, Will Metcalf wrote:
> I will have to recompile to get you the unoptimized output. The
> machine is CentOS5.2 with a pf_ring enabled kernel, and pf_ring
> enabled libpcap. http://www.ntop.org/PF_RING.html  I should have
> stated earlier that snort, daemonlogger ,and ntop all work ok compiled
> against this lib :-(....
> 
> (gdb) print ip
> $1 = (struct ip *) 0x0
> (gdb) print *ip
> Cannot access memory at address 0x0
> (gdb)
> 
	32 or 64 bit? We had a fair amount of excitement with pf-ring (an older
copy) on a 64 PPC machine. Default most stuff was 32 and objected to a 64
pf-ring without recompile (although argus was happy as I recall, tcpdump
for one wasn't til recompiled). 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada
Permalink | Reply | 8 comments |
headers
Will Metcalf | 7 Jul 20:27
Picon
Gravatar

Re: segv in argus with latest pf_fring enabled lipcap

Everything is intel 32-bit.

On 7/7/08, Peter Van Epp <vanepp <at> sfu.ca> wrote:
> On Mon, Jul 07, 2008 at 12:09:54PM -0500, Will Metcalf wrote:
> > I will have to recompile to get you the unoptimized output. The
> > machine is CentOS5.2 with a pf_ring enabled kernel, and pf_ring
> > enabled libpcap. http://www.ntop.org/PF_RING.html  I should have
> > stated earlier that snort, daemonlogger ,and ntop all work ok compiled
> > against this lib :-(....
> >
> > (gdb) print ip
> > $1 = (struct ip *) 0x0
> > (gdb) print *ip
> > Cannot access memory at address 0x0
> > (gdb)
> >
>        32 or 64 bit? We had a fair amount of excitement with pf-ring (an older
> copy) on a 64 PPC machine. Default most stuff was 32 and objected to a 64
> pf-ring without recompile (although argus was happy as I recall, tcpdump
> for one wasn't til recompiled).
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
Permalink | Reply | 7 comments |
headers
Peter Van Epp | 7 Jul 21:05
Picon
Picon
Favicon
Gravatar

Re: segv in argus with latest pf_fring enabled lipcap

On Mon, Jul 07, 2008 at 01:27:58PM -0500, Will Metcalf wrote:
> Everything is intel 32-bit.
> 

	For what its worth (probably not much, since it doesn't work for 
you :-)) I  just compiled argus-3.0.0 release and ran it for a while on 
a SUSE 10.2 32 bit Athelon box with an older (can't see a version to say how
old, but a year or more anyway) version of pf-ring. Runs fine as it does 
on my 64 bit PPC machines (for some value of fine, its a little unstable
at full gig :-)). Phil Wood has a similar mod that is in the kernel (no need
to add pf-ring) but I haven't managed to do a speed comparison yet. 
	At this point I expect debug output to see if there is an alignment
problem of some kind is probably the best bet. 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada
Permalink | Reply | 6 comments |
headers
Will Metcalf | 7 Jul 21:27
Picon
Gravatar

Re: segv in argus with latest pf_fring enabled lipcap

Yeah I should also admit that the previous version of pf_ring and
libpcap worked just fine with bucket len being set by insomd in kernel
land.  working on getting the non optimized debug now...  Thanx for
your help everybody ;-)

Regards,

Will

On Mon, Jul 7, 2008 at 2:05 PM, Peter Van Epp <vanepp <at> sfu.ca> wrote:
> On Mon, Jul 07, 2008 at 01:27:58PM -0500, Will Metcalf wrote:
>> Everything is intel 32-bit.
>>
>
>        For what its worth (probably not much, since it doesn't work for
> you :-)) I  just compiled argus-3.0.0 release and ran it for a while on
> a SUSE 10.2 32 bit Athelon box with an older (can't see a version to say how
> old, but a year or more anyway) version of pf-ring. Runs fine as it does
> on my 64 bit PPC machines (for some value of fine, its a little unstable
> at full gig :-)). Phil Wood has a similar mod that is in the kernel (no need
> to add pf-ring) but I haven't managed to do a speed comparison yet.
>        At this point I expect debug output to see if there is an alignment
> problem of some kind is probably the best bet.
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
>
Permalink | Reply | 0 comments |

Gmane