rasort doesn't finish

Carter Bullard carter at qosient.com
Wed May 30 12:49:55 EDT 2001 

Hey Russ,
   This is indeed the right mailing list!  I'm sorry
for the confusion, if you have any suggestions for
making it a bit easier, I'd love to hear them!!

   Must be a bug either in the file parsing or the output
process.  Argus records are all TLV records,
(type/length/value), so if the length value is zero, or
some particularly bad value, for some particularly bad 
reason, it will have infinite loop problems.  We fixed a
number of these problems last year, but you never know
about bugs.

   Do you have a file that causes rasort problems that
you don't mind sharing?  If so, please deposit it in
ftp://qosient.com/incoming and send me mail.  I'll
pick it up and take a look.

   Do other ra* programs have problems with the same
files, such as racount()?  They all share similar
file and record parsing routines.

Sorry for the inconvenience.

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com 


-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Russ Harvey
Sent: Wednesday, May 30, 2001 12:21 PM
To: argus-info at lists.andrew.cmu.edu
Subject: rasort doesn't finish


Hi,
I am not sure this is the correct list (there are confusing references
to argus, argus development, and argus-info in the documentation), I
apologize if it is not.

I am running argus-2.0.1 on FreeBSD 4.2 (dual 500MHz Compaq), and I have
implemented argus monitoring my border traffic. I used the
support/Archive script to archive my argus output files once an hour,
but sometimes rasort does not finish running on the raw output files and
I must kill them off manually. I let a couple run for 12 hours or so,
but they still did not finish.

In checking the archives there were references to loops in ra on FreeBSD
machines (and also implications that the problem had been fixed), as
well as discussions of rasort dumping core. My hourly raw argus data
files are about 150Mb each, as our traffic is about 10K packets/sec in
and out (~50Mbps out, ~25Mbps in)

Is there a way I can get rasort to complete, or should I just not run
any post-processing from the archiving cron script? If this is a looping
problem, how can I figure out what in my data is causing rasort to get
confused?

Thanks,
--russ

More information about the argus mailing list