[NETFRAME] Net::Packet::Dump / Net::Frame::Dump::Online - Concurrent Simultaneous Capture Limit?

Thu Jun 11 19:26:59 CEST 2009

Well, debugging is challenging, but I did encounter this issue:

*** glibc detected *** perl: double free or corruption (!prev): 0x08c90890 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7e29a85]
/lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7e2d4f0]
/usr/lib/libpcap.so.0.8(pcap_close_common+0x2c)[0xb7bf078c]
/usr/lib/libpcap.so.0.8[0xb7bee74d]
/usr/lib/libpcap.so.0.8(pcap_close+0x23)[0xb7bf0503]
/usr/local/lib/perl/5.8.8/auto/Net/Pcap/Pcap.so(XS_Net__Pcap_close+0x176)[0xb7c23356]
perl(Perl_pp_entersub+0x313)[0x80c23b3]
perl(Perl_runops_standard+0x1b)[0x80c0d8b]
perl[0x8065d7d]
perl(Perl_call_sv+0x59d)[0x806698d]
perl(Perl_sighandler+0x211)[0x80b4e81]
[0xb7f55420]
perl(PerlIOBuf_fill+0x170)[0x8127380]
perl(PerlIOBase_read+0xdc)[0x81257dc]
perl(PerlIO_getc+0x31)[0x8125931]
perl(Perl_sv_gets+0x954)[0x80ddda4]
perl(Perl_do_readline+0x155)[0x80c5df5]
perl(Perl_runops_standard+0x1b)[0x80c0d8b]
perl[0x8065d7d]
perl(Perl_call_sv+0x59d)[0x806698d]
perl(Perl_call_list+0x258)[0x8066ce8]
perl(perl_destruct+0x1259)[0x806bc49]
perl(main+0xc6)[0x8063726]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb7dd4450]
perl[0x80635f1]

Any pointers would be helpful.

-- Darien

On Thu, Jun 11, 2009 at 1:21 PM, Darien Kindlund<darien at kindlund.com> wrote:
> Hi GomoR,
>
> Looks like I spoke too soon.  After running the script below for about
> 30 minutes, the parent perl process unexpectedly exits with the error
> of:
> Can't locate Carp/Heavy.pm in @INC (@INC contains: /etc/perl
> /usr/local/lib/perl/5.8.8 /usr/local/share/perl/5.8.8 /usr/lib/perl5
> /usr/share/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8
> /usr/local/lib/site_perl .) at /usr/share/perl/5.8/Carp.pm line 89.
>
> ... and all 50 child processes are left stale.  Carp::Heavy is
> installed on the system, so I think there may be a more fundamental
> issue here -- perhaps resource starvation.  Anyway, I tried reducing
> the number of simultaneous dump objects to 35 and I get the same
> result.  I'll try to figure out the maximum.  I also try running the
> code in debug mode; however, debug doesn't like fork() at all.
>
> -- Darien
>
> On Thu, Jun 11, 2009 at 11:53 AM, Darien Kindlund<darien at kindlund.com> wrote:
>> Hi GomoR,
>>
>> It looks like the Net::Frame::Dump::Online package is keeping up with
>> the requirements I mentioned earlier.  I've enclosed a stripped down
>> version of perl code which describes how I'm using it.  I'm hoping you
>> can take a look at it and let me know if you see any particular
>> problems.  Basically, the code creates 50 dump objects and then cycles
>> through each dump object, printing the first 10 packets, and then
>> resetting the dump session.  I realize that creating 50 dump objects
>> using the same filter is not very useful; however, assume the real
>> code would set each dump object with a unique filter.
>>
>> Please let me know if this is the correct way to use your library,
>> specifically in terms of flushing data as much as possible in order to
>> avoid obvious memory overflow conditions.  Also, it's safe to assume
>> that the real code would do something with the generated .pcap between
>> the ->stop() call and the ->flush() call.
>>
>> Here's the code:
>>
>> #!/usr/bin/perl -w
>>
>> use strict;
>> use warnings;
>>
>> use Data::Dumper;
>> use Net::Frame::Dump::Online;
>> use Net::Frame::Simple;
>> use Data::UUID;
>>
>> our $sessions = {};
>>
>> my $session_counter = 0;
>>
>> while ($session_counter < 51) {
>>    my $uuid = Data::UUID->new()->create_str();
>>    $sessions->{$uuid} = Net::Frame::Dump::Online->new(
>>            dev           => 'eth0',
>>            file          => 'pcaps/' . $uuid . '.pcap',
>>            filter        => 'tcp port 22',
>>            promisc       => 1,
>>            snaplen       => 65535,
>>            keepTimestamp => 1,
>>            unlinkOnStop  => 0,
>>            overwrite     => 1,
>>    );
>>
>>    # Start capture
>>    #print Dumper($sessions->{$uuid}) . "\n";
>>    print "Starting...\n";
>>    $sessions->{$uuid}->start;
>>    $session_counter++;
>> }
>>
>> while (1) {
>>    foreach my $key (keys %{$sessions}) {
>>        print "Handling UUID: " . $key . "\n";
>>        #print Dumper($sessions->{$key}) . "\n";
>>
>>        my $counter = 0;
>>        while (1) {
>>            if (my $frame = $sessions->{$key}->next) {
>>                $frame = Net::Frame::Simple->newFromDump($frame);
>>                print $frame->print . "\n";
>>                #print Dumper($frame) . "\n";
>>                $counter++;
>>                if ($counter > 10) {
>>                    last;
>>                }
>>            }
>>        }
>>
>>        # Cleanup
>>        print "Stopping...\n";
>>        $sessions->{$key}->stop;
>>        #print Dumper($sessions->{$key}) . "\n";
>>
>>        #print "Sleeping...\n";
>>        #sleep(5);
>>
>>        print "Flushing...\n";
>>        $sessions->{$key}->flush;
>>        #print Dumper($sessions->{$key}) . "\n";
>>
>>        #print "Sleeping...\n";
>>        #sleep(10);
>>
>>        print "Starting...\n";
>>        $sessions->{$key}->start;
>>    }
>> }
>>
>> ---
>>
>> Lastly, when running this code, I occasionally run into this message:
>> Argument "" isn't numeric in numeric le (<=) at
>> /usr/local/share/perl/5.8.8/Net/Frame/Layer/ETH.pm line 193.
>> Unable to unpack next layer, not yet implemented in layer: 0:ETH
>> ETH: dst:49:09:90:01:ef:b7  src:  length:0
>>
>> Does this message appear strictly because I have 'use warnings;' in
>> the parent code?  In other words, what's the correct way to suppress
>> or handle this error message?
>>
>> Thanks,
>> -- Darien
>>
>