[Oisf-devel] Crashing

Chris Wakelin c.d.wakelin at reading.ac.uk
Tue Feb 22 12:35:11 UTC 2011

On 21/02/11 20:09, Victor Julien wrote:
>>> 0  0x00007f0aa8de2a75 in raise () from /lib/libc.so.6
>>> #1  0x00007f0aa8de65c0 in abort () from /lib/libc.so.6
>>> #2  0x00000000004d63b5 in PrintList (seg=0x0) at stream-tcp-reassemble.c:495
>>> #3  0x00000000004d8ab7 in HandleSegmentStartsBeforeListSegment (tv=<value optimised out>, ra_ctx=<value optimised out>, stream=0x7f09c4760dc8, 
>>>     seg=0x7f08ad422a10, p=<value optimised out>) at stream-tcp-reassemble.c:937


>> I haven't got packet traces for it yet. Third time lucky! Brant
>> suggested gulp, but I found "tcpdump -w pcap%S -G10" works quite well as
>> a circular buffer. The traces I have got so far (without cores) don't
>> cause a crash when read with "suricata -r".
> Cool. Btw, you can do circular buffers with tshark and daemonlogger as well.

I tried running with debug enabled, but the packet count dropped to 10%
of what it should be, so I made a version with SCLogDebug changed to
SCLogInfo at the point it crashes, and got:

Usual lots of

> [20949] 22/2/2011 -- 11:56:48 - (app-layer-parser.c:943) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 134.225.xxx.xxx, destination IP address yyy.yyy.yyy.yyy, src port 3044 and dst port 80

per second, then

> [20949] 22/2/2011 -- 11:56:48 - (stream-tcp-reassemble.c:486) <Info> (PrintList) -- inconsistant list: SEQ_LT(seg->seq,next_seq)) == TRUE, seg->seq 959020101, next_seq 959020645

(BTW That should be "inconsistent" - which describes English spelling
quite well :) )

Packet traces haven't helped, but I suspect it's something to do with
very long TCP streams, so I guess they wouldn't!

Best Wishes,

Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094

More information about the Oisf-devel mailing list