[ARGUS] BSD argus/Linux ra problems?]

Joe Christy joe at eshu.net
Tue Nov 23 17:11:27 EST 2004 

   Vis-a-vis Michael's notes of of 11/22/2004 02:34 AM and  11/23/2004
02:41 AM:
> ...
> 
> The plot thickens.  ra -D 8 -S ... runs.  -D 1 through -D 4 don't work. 
>  -D 5 through -D 8 work (run multiple times) when at the shell.  When 
> running under gdb, only -D 8 would work.  Here is output from the -D 4 
> and -D 5 runs.
> ...

	I posted the original problem last summer, and everything that Michael
reports, down to the business with the -Dn flags is precisely what I saw
w/ FreeBSD-4.9 => FC2. Alas I didn't have time to pursue it and came up
with a crufty hack involving rsync to get my argus data off the FreeBSD
gateway in not-exactly-real time.

	I think that you struck gold with your latest post:

> This does appear to be a timing issue, but really it looks like a TCP 
> window size issue and how ArgusReadConnection() does its reads.

	I'm in the process of building another network with an FC3 monitoring
station on and an OpenBSD-3.6 gateway hosting the sensor and I also have
another gateway box on my workbench running FreeBSD-4-STABLE. After the
great American tryptophan & football festival, I'll take another whack.
Please post any proposed patches to the list.

> The flip side of this is that it is a weirdo case, very dependent upon
> Linux kernel release and what OS the argus sensor runs on,

	What kernel are you running?

> possibly even
> the amount of memory in the client machine (since window size is related
> to available receive buffer space, which is related to total memory in
> the box).

	I doubt that since my client monitor station last summer had 2G memory.
The sensor, on the other hand, had only 128M. The gateway this time has
512M memory, so I can double-check the memory hypothesis at the sensor end.

	Joe


-- 
======== Joe Christy ============================== joe at eshu.net =======
---- Voice:831/423-7151 --- Mobile:831/227-6440 --- FAX:831/469-0804 ---
    If I can save you any time, give it to me, I'll keep it with mine.
======== public keys and certificates at: www.eshu.net/PKI.html ========

More information about the argus mailing list