[Oisf-devel] Crashing
Chris Wakelin
c.d.wakelin at reading.ac.uk
Mon Feb 21 19:39:12 UTC 2011
On 17/02/11 17:09, Chris Wakelin wrote:
>
> Is there a way to dump packets in a circular buffer? Otherwise I think
> we'd quickly run out of disk space (e.g. in the last run I got stats
> for, we got 250GB in just under 90 minutes).
>
> Best Wishes,
> Chris
>
Darn, I keep replying to contributors rather than the list. Anyway I
told Brant (only ...) that I got a crash with a 10GB core dump by
running as root. I've just got another that looks very similar (8GB dump):
> 0 0x00007f0aa8de2a75 in raise () from /lib/libc.so.6
> #1 0x00007f0aa8de65c0 in abort () from /lib/libc.so.6
> #2 0x00000000004d63b5 in PrintList (seg=0x0) at stream-tcp-reassemble.c:495
> #3 0x00000000004d8ab7 in HandleSegmentStartsBeforeListSegment (tv=<value optimised out>, ra_ctx=<value optimised out>, stream=0x7f09c4760dc8,
> seg=0x7f08ad422a10, p=<value optimised out>) at stream-tcp-reassemble.c:937
> #4 StreamTcpReassembleInsertSegment (tv=<value optimised out>, ra_ctx=<value optimised out>, stream=0x7f09c4760dc8, seg=0x7f08ad422a10,
> p=<value optimised out>) at stream-tcp-reassemble.c:624
> #5 0x00000000004d93b9 in StreamTcpReassembleHandleSegmentHandleData (tv=0x7f0aa00008b0, ra_ctx=0x5cdeee0, ssn=<value optimised out>, stream=0x7f09c4760dc8,
> p=0x2323360) at stream-tcp-reassemble.c:1631
> #6 0x00000000004d97cd in StreamTcpReassembleHandleSegment (tv=0x7f0aa00008b0, ra_ctx=0x5cdeee0, ssn=0x7f09c4760dc0, stream=0x7f09c4760dc8, p=0x2323360,
> pq=<value optimised out>) at stream-tcp-reassemble.c:3502
> #7 0x00000000004d361f in HandleEstablishedPacketToClient (tv=0x7f0aa00008b0, p=0x2323360, stt=0x5d70c20, ssn=0x7f09c4760dc0, pq=<value optimised out>)
> at stream-tcp.c:1753
> #8 StreamTcpPacketStateEstablished (tv=0x7f0aa00008b0, p=0x2323360, stt=0x5d70c20, ssn=0x7f09c4760dc0, pq=<value optimised out>) at stream-tcp.c:1882
> #9 0x00000000004d4f70 in StreamTcpPacket (tv=0x7f0aa00008b0, p=0x2323360, data=0x5d70c20, pq=<value optimised out>, postpq=<value optimised out>)
> at stream-tcp.c:3208
> #10 StreamTcp (tv=0x7f0aa00008b0, p=0x2323360, data=0x5d70c20, pq=<value optimised out>, postpq=<value optimised out>) at stream-tcp.c:3388
> #11 0x00000000004c0afe in TmThreadsSlot1 (td=0x7f0aa00008b0) at tm-threads.c:356
> #12 0x00007f0aa95869ca in start_thread () from /lib/libpthread.so.0
> #13 0x00007f0aa8e9570d in clone () from /lib/libc.so.6
> #14 0x0000000000000000 in ?? ()
I haven't got packet traces for it yet. Third time lucky! Brant
suggested gulp, but I found "tcpdump -w pcap%S -G10" works quite well as
a circular buffer. The traces I have got so far (without cores) don't
cause a crash when read with "suricata -r".
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
More information about the Oisf-devel
mailing list