oddities with ramon

Peter Van Epp vanepp at sfu.ca
Tue Apr 5 11:02:49 EDT 2005 

On Tue, Apr 05, 2005 at 09:26:32AM -0400, Harry Hoffman wrote:
> Hi Russell,
> 
> Yep, I am running ramon in both cases. Hmm, it was late last night and I 
> didn't include any system info...
> 
<snip>
	Works OK for me on both types of files on FreeBSD 4.10:

vanepp at r2d2% ramon -M TopN -N 10 -nnnr /usr/local/argus/com_argus.archive/2005/04/05/com_argus.2005.04.05.06.00.00.0.gz
05 Apr 05 05:58:13     142.58.200.82 502937   833542    40282630     1097312156
05 Apr 05 05:58:13     142.58.101.28 327155   289699    205055429    24040121
05 Apr 05 05:58:13      142.58.101.5 249565   272417    39823022     131075801
05 Apr 05 05:58:15     142.58.101.21 169111   243239    16142623     200230813
05 Apr 05 05:58:12      142.58.103.1 190647   201301    30847051     20993841
05 Apr 05 05:58:16    204.239.18.200 108434   189590    6935268      269543411
05 Apr 05 05:58:20      206.12.128.5 94666    202058    6594730      25976777
05 Apr 05 05:58:22    204.239.18.203 91936    125779    4992004      184859799
05 Apr 05 05:58:22    81.178.225.189 101984   73339     150019208    3972348
05 Apr 05 05:59:46     206.12.128.34 60009    111781    3957066      14988721

vanepp at hcids1% ramon -M TopN -N 10 -nnnr com_argus
05 Apr 05 06:58:12     142.58.200.82 468832   773870    36732470     1035023951
05 Apr 05 06:58:12      142.58.101.5 304908   331166    61292895     171575518
05 Apr 05 06:58:12     142.58.101.28 248608   207340    167606664    19230497
05 Apr 05 06:58:12     142.58.101.21 154282   227621    9766909      202173202
05 Apr 05 06:58:32    204.239.18.200 127539   237935    7618079      315685229
05 Apr 05 06:58:22      206.12.128.5 92887    194197    6437890      25895784
05 Apr 05 06:58:12      142.58.103.1 137976   142485    22227169     15087023
05 Apr 05 06:58:59     24.85.131.105 180926   77434     257090872    4367971
05 Apr 05 06:58:15      142.58.111.2 76802    136592    5405604      195498398
05 Apr 05 06:58:20     206.12.128.12 54264    101432    3930937      17956855

although I have 3 or 4 patches on top of fixes.1 in there I don't think they
are likely to affect this. I'd be suspicious of memory off the top, its 
possible ramon is running out of memory and behaving badly. There is 750 megs
in the two boxes here and the kernel config boosts per process rlimits with
this:

options MAXDSIZ="(1380*1024*1024)"
options DFLDSIZ="(1380*1024*1024)"
options MAXSSIZ="(1024*1024*1024)"

Checking /var/log/messages for messages from argus would be a good first bet,
I think it should syslog memory problems.
	The article on argus being referred to is available online here:

http://www.usenix.org/publications/login/2001-11/pdfs/epp.pdf

and a somewhat old (I need to get around to updating it to my current set but
haven't) perl scripts that run here everyday are available at 

ftp.sfu.ca in /pub/unix/argus/argus.traffic.perl.tar.gz

as I recall there is a copy of the output format in the read me, but it is
basically sorted by traffic with a breakdown of traffic by external host and
port for the top 30 or so hosts.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list