differences between 2.0 and 1.8 logs

Russell Fulton r.fulton at auckland.ac.nz
Wed Sep 27 17:51:03 EDT 2000 

On Wed, 27 Sep 2000 07:13:01 -0400 Carter Bullard <carter at qosient.com> 
wrote:

> Hey Russell,
>    Hmmmmmm, it is highly unlikely that we're missing the
> packets, at least not that many, and with such selectivity
> unless there is a huge difference between the 2.0 and the
> 1.8 output files.   We could be missing the Argus records.
> Is this a heavily loaded network?  Hmmmmmmmmmm.

Not by Peter's standards ;-)  It's a 10MB network with about 4Mbps real 
traffic with peaks much higher.  The box has a 500MHz processessor and 
128MB memory, runs snort and argus 1.8.1 as well as argus 2.0.  CPU 
sits at around 5%, except when I run raconnections and gzip on the hour 
(I am compacting and compressing the 1.8.1 logs but not the 2.0).

I am also having trouble with running out of swap space  when I have 
all three processes running.  I think it may be raconnections causing 
problems because normally there is heaps of free memory and almost no 
swap space used.  However this does not tally with the last modified 
time stamp on the output file which don't cluster shortly after the 
hour as one would expect if it was raconnections that was using up the 
swap space.

I have just this morning taken delivery of two new boxes, and I try and 
get one of them set up along side the exising one and duplicate the 
setup.  Currently this box is the only one with enough grunt to run 
snort comfortably.

> 
>    The man records also record the number of packets seen and
> the totals in the flow records should add up to the totals
> in the man records. 

Hmmm... I have never seen a final report from argus, it always dies 
first.  Here are the man records from the last run

Sun 09/05 08:04:09.-1640035840   man  pkts 386864  bytes 162507987  
drops     0         CON                      
Fri 05/03 23:57:45.-697039616   man  pkts 257885  bytes 99672951  drops 
   0         CON                      
Fri 11/05 16:34:17.642122752   man  pkts 269177  bytes 105305034  drops 
   0         CON                      
Sat 12/23 04:07:37.1748110848   man  pkts 266993  bytes 109385383  
drops     0         CON                      
Sun 01/14 04:03:21.-1048064   man  pkts 6962120  bytes 2928343216  
drops     0         CON                      
Sun 03/01 15:36:41.-2116416768   man  pkts 264262  bytes 119682765  
drops     0         CON                      

Hmmm.... more screwy times.
> 
I'll make some changes to racount to
> print out both sums.  That will help, but it won't solve
> any problems.
> 
>    So what's the setup?  1.8 and 2.0 reading the same
> interface at the same time?

yes.

With the new box, I'll be able to run some tests without snort just 
in case that is somehow interfering.

Cheers, Russell.

More information about the argus mailing list