[Oisf-devel] Crashing

Victor Julien victor at inliniac.net
Mon Feb 21 20:09:00 UTC 2011 

On 02/21/2011 11:39 AM, Chris Wakelin wrote:
> 
> 
> On 17/02/11 17:09, Chris Wakelin wrote:
>>
>> Is there a way to dump packets in a circular buffer? Otherwise I think
>> we'd quickly run out of disk space (e.g. in the last run I got stats
>> for, we got 250GB in just under 90 minutes).
>>
>> Best Wishes,
>> Chris
>>
> 
> Darn, I keep replying to contributors rather than the list. Anyway I
> told Brant (only ...) that I got a crash with a 10GB core dump by
> running as root. I've just got another that looks very similar (8GB dump):
> 
>> 0  0x00007f0aa8de2a75 in raise () from /lib/libc.so.6
>> #1  0x00007f0aa8de65c0 in abort () from /lib/libc.so.6
>> #2  0x00000000004d63b5 in PrintList (seg=0x0) at stream-tcp-reassemble.c:495
>> #3  0x00000000004d8ab7 in HandleSegmentStartsBeforeListSegment (tv=<value optimised out>, ra_ctx=<value optimised out>, stream=0x7f09c4760dc8, 
>>     seg=0x7f08ad422a10, p=<value optimised out>) at stream-tcp-reassemble.c:937
>> #4  StreamTcpReassembleInsertSegment (tv=<value optimised out>, ra_ctx=<value optimised out>, stream=0x7f09c4760dc8, seg=0x7f08ad422a10, 
>>     p=<value optimised out>) at stream-tcp-reassemble.c:624
>> #5  0x00000000004d93b9 in StreamTcpReassembleHandleSegmentHandleData (tv=0x7f0aa00008b0, ra_ctx=0x5cdeee0, ssn=<value optimised out>, stream=0x7f09c4760dc8, 
>>     p=0x2323360) at stream-tcp-reassemble.c:1631
>> #6  0x00000000004d97cd in StreamTcpReassembleHandleSegment (tv=0x7f0aa00008b0, ra_ctx=0x5cdeee0, ssn=0x7f09c4760dc0, stream=0x7f09c4760dc8, p=0x2323360, 
>>     pq=<value optimised out>) at stream-tcp-reassemble.c:3502
>> #7  0x00000000004d361f in HandleEstablishedPacketToClient (tv=0x7f0aa00008b0, p=0x2323360, stt=0x5d70c20, ssn=0x7f09c4760dc0, pq=<value optimised out>)
>>     at stream-tcp.c:1753
>> #8  StreamTcpPacketStateEstablished (tv=0x7f0aa00008b0, p=0x2323360, stt=0x5d70c20, ssn=0x7f09c4760dc0, pq=<value optimised out>) at stream-tcp.c:1882
>> #9  0x00000000004d4f70 in StreamTcpPacket (tv=0x7f0aa00008b0, p=0x2323360, data=0x5d70c20, pq=<value optimised out>, postpq=<value optimised out>)
>>     at stream-tcp.c:3208
>> #10 StreamTcp (tv=0x7f0aa00008b0, p=0x2323360, data=0x5d70c20, pq=<value optimised out>, postpq=<value optimised out>) at stream-tcp.c:3388
>> #11 0x00000000004c0afe in TmThreadsSlot1 (td=0x7f0aa00008b0) at tm-threads.c:356
>> #12 0x00007f0aa95869ca in start_thread () from /lib/libpthread.so.0
>> #13 0x00007f0aa8e9570d in clone () from /lib/libc.so.6
>> #14 0x0000000000000000 in ?? ()
> 
> I haven't got packet traces for it yet. Third time lucky! Brant
> suggested gulp, but I found "tcpdump -w pcap%S -G10" works quite well as
> a circular buffer. The traces I have got so far (without cores) don't
> cause a crash when read with "suricata -r".

Cool. Btw, you can do circular buffers with tshark and daemonlogger as well.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list