Re: segfault at 000000000311c000 rip 000000000040fb46 rsp 0000007fbffff830 error 4

On Thu, Apr 30, 2009 at 11:09:40AM +0200, Gunnar Lindberg wrote:
> I'm new to this list and I hope my question is relevant for it. If
> the subject has been beaten to death please direct me to the archives.
> 
> We have 2 Argus collector machines, each with opto splitters and
> 2 Myricom 10GbE cards (using only the Rx side, of course). Then a
> third machine merging all data.
> 
> Recently both collectors have started to report as below (and stopped
> collecting data until argus is restarted). It happens roughly once a
> day and we're not happy - a litte worse than just annoying.
> 
> 
> /var/log/messages (and dmesg)
> 
> Apr 28 15:38:07 argc kernel: argus[17240]: segfault at 0000000004a14000 rip 000000000040fb46 rsp
0000007fbffff830 error 4
> Apr 28 15:18:42 argc kernel: argus[16262] general protection rip:3fabc696bd rsp:7fbffff5c0 error:0
> 
> Apr 29 15:50:21 argv kernel: argus[2511]: segfault at 000000000311c000 rip 000000000040fb46 rsp
0000007fbffff830 error 4
> Apr 29 16:35:20 argv kernel: argus[2641] general protection rip:40efbf rsp:7fbffff778 error:0
> 
> 
> Bad memeory?
> 
> 
> 	Gunnar Lindberg, IRT,
> 	Chalmers University of Technology,
> 	Gothenburg, Sweden

Re: gdb data for model....

On Wed, Apr 29, 2009 at 09:01:11AM -0400, Carter Bullard wrote:
> Hey Peter,
> Thanks for the reply!!!
> I've made quite a number of changes to try to solve this problem, but
> haven't heard a peep in a while, so I'd love to think that the problem
> is solved ;o)
>
> I do know better, so is anyone having problems with their argus
> stopping?
>
> Carter
>

	SFU is having problems of some kind (reported as missing flows although
I'm not yet sure exactly what that means, it may mean that DSCC is reporting 
flows that argus is missing or that argus is stopping as Russell is seeing). 
The poor fellow that inheirited most of my tasks when I retired is upgrading 
to the latest beta code in between fire fighting so I may get some more info 
from there later. 
	I've put the latest beta code on a HP AMD machine with FreeBSD on my
ADSL link (the HP being quiet enough to leave on continuously ) at home and 
I'll see what happens. 
	As to syslog, would I be correct in assuming that "enabling syslog" 
involves commenting out the 

#undef ARGUS_SYSLOG

at line 1757 of common/argus_util.c? If you don't do that I believe syslog will
be disabled because the

Re: best way to collect traffic

On Fri, Apr 24, 2009 at 08:44:33AM +0300, Oguz Yarimtepe wrote:
> 
> I am generally using a dataset [1] for testing purposes. What i do is
> converting the tcpdump files to arg3 records and analyse the results. 
> 
> A few days ago i tried to check my own traffic so i run the tcpdump
> while surfing. After a while i break the process by ctrl+c and converted
> the dumo file arg3 and check the results. I saw some <?> values at the
> direction field. So i thought, collecting the traffing in this way is
> not a good idea or i broke the connection an packages so the flow data
> was missing. 
> 
> What is the good way to collect a traffic for analyzing via argus?
> 
> -- 
> Oguz Yarimtepe
> http://www.loopbacking.info
> 

	Another thought just occurred to me: are you using ra to check the 
results or racluster? Argus flushes flow status every 2 minutes by default so
a long lasting connection (such as an ssh session) will have an initial 
report with the direction field correct and a bunch more for the same flow 
with a <?> direction (as it has no longer seen the syn / syn-ack sequence).
I believe racluster (it used to he ragator in 2.x) is the current way of 
combining the flows by 5 tuple so the direction field will be correct and 
you will get what you expect.

Peter Van Epp

simple question

Re: gdb data for model....

<snip>
> 
> #ifdef ARGUS_SYSLOG at line 1805 won't be true and syslog won't get called as
> far as I can see and since I'm not seeing any syslog messages from argus so
> far, it either hasn't decided to log anything yet or this is true .  I'll
> comment this out and see what happens. 
> 
> Peter Van Epp

	Looks correct. changing that to a #define ARGUS_SYSLOG 1 (and moving 
the undef to the bottom of the routine which probbaly isn't needed) makes 
syslog work on my FreeBSD box. Argus syslogged the started and interface up
messages on boot which it hadn't been doing before (syslog.conf needed an
addition for daemon which isn't logged by default as well). We may want to 
change (or at least arrange to allow a change during config) of the facility
to something other than daemon (such as one of the LOCALs). FreeBSD doesn't 
seem to log much to daemon but SFU's Suns tend to fill daemon with all kinds
of messages bind being particularly verbose which could be a pain to deal 
with.

Peter Van Epp

Re: gdb data for model....

Whoa,
I had completely missed the #undef ARGUS_SYSLOG, fixed!!!!!!!!
Carter

On Apr 30, 2009, at 10:47 PM, Peter Van Epp wrote:

> On Wed, Apr 29, 2009 at 09:01:11AM -0400, Carter Bullard wrote:
>> Hey Peter,
>> Thanks for the reply!!!
>> I've made quite a number of changes to try to solve this problem, but
>> haven't heard a peep in a while, so I'd love to think that the  
>> problem
>> is solved ;o)
>>
>> I do know better, so is anyone having problems with their argus
>> stopping?
>>
>> Carter
>>
>
> 	SFU is having problems of some kind (reported as missing flows  
> although
> I'm not yet sure exactly what that means, it may mean that DSCC is  
> reporting
> flows that argus is missing or that argus is stopping as Russell is  
> seeing).
> The poor fellow that inheirited most of my tasks when I retired is  
> upgrading
> to the latest beta code in between fire fighting so I may get some  
> more info
> from there later.
> 	I've put the latest beta code on a HP AMD machine with FreeBSD on my
> ADSL link (the HP being quiet enough to leave on continuously )  
> at home and
> I'll see what happens.
> 	As to syslog, would I be correct in assuming that "enabling syslog"
> involves commenting out the
>
> #undef ARGUS_SYSLOG
>
> at line 1757 of common/argus_util.c? If you don't do that I believe  
> syslog will
> be disabled because the
>
> #ifdef ARGUS_SYSLOG at line 1805 won't be true and syslog won't get  
> called as
> far as I can see and since I'm not seeing any syslog messages from  
> argus so
> far, it either hasn't decided to log anything yet or this is  
> true .  I'll
> comment this out and see what happens.
>
> Peter Van Epp
>

Re: simple question

argus threaded

Hi All,

As a was building the latest version of argus I noticed that there is 
the option to run argus as a threaded process.

Currently we run 4 seperate version of argus with different bpf filters 
(we have 4 cpus in our argus box).

Wondering if anyone is running argus with threads under linux and what 
your experience/thoughts are with this type of setup.

Cheers,
Harry

Re: argus threaded

On Fri, May 01, 2009 at 03:36:54PM -0400, Harry Hoffman wrote:
> Hi All,
>
> As a was building the latest version of argus I noticed that there is  
> the option to run argus as a threaded process.
>
> Currently we run 4 seperate version of argus with different bpf filters  
> (we have 4 cpus in our argus box).
>
> Wondering if anyone is running argus with threads under linux and what  
> your experience/thoughts are with this type of setup.
>
> Cheers,
> Harry
>

	Unless you are (as I often do) removing .thread in the top level of 
the clients directory, you are running threads by default if your machine 
supports it. It is still disabled by default (no .thread) in the argus 
distribution, I had a variety of problems with hangs early in 3.0 and I think 
we eventually decided it was problematic and disabled it (again, I was in any 
case ) but Carter will have the best opinion on how stable it may be if
enabled.

Peter Van Epp 

errors running rahisto