Just posted to argus-info, posting here for some google-fu for anybody else who might be lost (I'll follow up if I get responses).
I'm trying to run argus against some tcpdump traces I grab from my tun device (PPPoE) on my FreeBSD gateway. I'm reasonably certain I'm doing things correctly, as argus operates correctly if I use tcpdump traces captured from fxp0 (my internal network interface), but it dumps core when I use traces from tun0.
For instance, I'm trying:
tcpdump -i fxp0 -s0 -w /nsm/traces/fullout.lpc
(or -i tun0)
argus -r fullout.lpc -w \$ARGUSHOME/fullout.argus
which dumps core if the trace was captured from tun0.
Am I doing something stupid (this is not meant to work), missing something (an option?), or have I found something wrong? I'm playing with a tunnel device at home, and I can work around it by just looking
at all network traffic instead of what goes through the tunnel, but I'd rather just see traffic that's actually bound for or coming from addresses external to my home network. I get similar failure modes
using both 2.0.6 (from the FreeBSD ports tree) and 3.0 rc42 (built from source).
I experimented on a different machine at work with a bridge instead of a tunnel, and it seems to work just fine (although argus 3.0 seems to choke on some tcpdump traffic that 2.0.6 is happy with, which seems to be a separate issue).
*** Update: Carter Bullard says it should never ever dump core. So hopefully the fix will be easy, and no, I did nothing wrong apparently. I think the FreeBSD port has some issues then though, because a few of the ra tools dumped core on me too, for the only sin of forgetting command line arguments, as far as I can tell.