[ARGUS] ra* performance
eric-list-argus at catastrophe.net
eric-list-argus at catastrophe.net
Mon May 10 14:48:46 EDT 2004
On Mon, 2004-05-10 at 12:36:37 -0400, cleric at gwu.edu proclaimed...
> The problem comes when I try to extract information from my archived *.gz
> capture files using the various ra programs. If I try to go into the
> archive directory for a single day's captures and run an ramon -M topn -r
> *, for example the command never completes (and I've let it run for
> several hours once). Am I going about this the wrong way? Are there ways
> to tweak the OS to improve performance? Do people have performance stats
> that they could share? Right now what I am doing seems unusably slow...
You're most likely running out of memory due to a hard limit imposed
from the kernel. I'm not a Linux user, so I'm not sure how to modify
this. However, using things such as ulimit will *not* help you
because there are hard limits inside the kernel. Check your vendors
documentation for how to do this, or the argus archives for how to
do it under FreeBSD.
We have a dual xeon as our collector with 2GB of RAM; the host
writing to disk is connected via a cross over gig-ethernet. We're
looking at about 110Mbps, but we've seen it burst to 220Mbps., and
it's perfectly usable (kudos to Carter and the development team).
Perhaps fine-tuning your platform would be a good start. Also, you
might want to touch .devel and .debug in the top level of the source
directory if anything core dumps. However, this is a *huge*
performance hit -- use it wisely!
- Eric
More information about the argus
mailing list