Fixed one bug, got some more for ya though :)

Carter Bullard carter at qosient.com
Thu Jun 14 11:43:45 EDT 2001


Hey Chris,
   Argus is implemented as full processes, not threads,
so each process can have their own independent values.
No problem.

   The thought is a good one but they should not match.
In most cases we actually process passes continuously,
its only in some minor conditions that we get into 10
passes per second.

   Increasing the number above 512 is a very good
thing, but not toooo high, as you will start to drop
packets on the receiving end.  So try out 1024 or 2048
to see if things are OK.  We can go to the limit if
you want, its just a matter of experimentation.

Carter





-----Original Message-----
From: Chris Newton [mailto:newton at unb.ca] 
Sent: Thursday, June 14, 2001 11:40 AM
To: Carter Bullard
Cc: Argus (argus-info)
Subject: RE: Fixed one bug, got some more for ya though :)


>===== Original Message From <carter at qosient.com> =====
>Hey Chris,
>One value for you to play with is ARGUS_MAXWRITENUM in ArgusUtil.c.  
>This is the maximum number of records that we will write out to the 
>socket on each pass.  For some situations we only process 10 passes a 
>second, and so increasing this number to say 1024, or 2048 may be
>more than appropriate.  Now, large numbers here will
>get in the way of argus getting back to process packets,
>so you don't want to go toooo high here.


  Hmm, is the writer implemented as a thread?  If so, I should be able
to put 
a pretty high number here, and, on an SMP machine, it should fair pretty
well, 
correct?

  Also, you mentionned that in some cases argus can generate 10,000
records a 
second, right?  Well, I think I see the problem causing the issue I am
having.  The current value of MAXWRITENUM is 512... and, with only 10
passes a second 
(as you say, in some cases), we only dump 5120 records per second...
yet, it 
is possible to accumulate them at a rate of 10K/s.  Should not these
values 
match?  My logic would be that if you can't get the reports out as fast
as you 
generate them, and the traffic levels stay at this level for a good
chunk of 
time (minutes), argus _will_ fail... since, it will exhust that queue,
and 
will decide to stop... no matter how fast a computer you throw at the 
problem...  ie: here's the scenario...

  I buy a 8 proc, 10 Ghz Pentium 7 ( nice eh? :))... it can generate
flows at 
a rate of 500,000 flows per second.  Problem... I'm only dumping them at
a 
rate of 5120 per second (in some cases, though, I suspect that is based
on 
load, right?  high packet load, and you dont do this run as much?).  The
queue 
will fill in seconds, and argus will stop.

  Am I off base here?

Chris

_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

Chris Newton, Systems Analyst
Computing Services, University of New Brunswick
newton at unb.ca 506-447-3212(voice) 506-453-3590(fax)

"The best way to have a good idea is to have a lot of ideas." Linus
Pauling (1901 - 1994) US chemist



More information about the argus mailing list