FOLLOWUP: oddities with ramon

Fri Apr 22 23:33:21 EDT 2005

On Thu, Apr 21, 2005 at 10:53:45PM -0400, Harry Hoffman wrote:
> Hi All,
> 
> First, thanks for the many good hints in trying to figure out why:
> ramon -M TopN 10 -nnnr argus.[date] was spitting out off of it's records.
> 
> I've since moved over to a linux box for running argus and the same
> thing is again happening.
> 
> I've checked /var/log/messages for any signs of memory trouble and none
> are present. I've also run top in another session and ramon will take
> anywhere from 103M to 207M while it's crunching numbers.
> 
> I have found something interesting though... If I run ramon against my
> first netblock (I have two class Bs 192.168 and 172.16)
> ramon -nnnr argus.[date] - net 192.168
> then everything works as expected (this netblock sees considerably less
> traffic then the second netblock)
> 
> However, running it against the second netblock is where things go
> hay-wire. But if I limit the scope in the second netblock then things
> again work
> ramon -nnnr argus.[date] - net 172.16.1
> 
> 
> Ideas?
> 
> Thanks,
> Harry

	How much data are you trying to analyse here? An ls -l of argus.[date]
would probably be useful. I expect you are running out of memory or in to a 
size limit in the clients. I remember Carter indicating some size limits that 
Eric should try increasing when argus was seg faulting on him (they should 
be in the archive but I'm not sure how you would find them) but I think they 
were for argus_bpf rather than the clients (but they may apply to both). I
just started:

ramon -M TopN -nnnr /usr/local/argus/com_argus.archive/2005/04/20/* > /tmp/ramon

where 

vanepp at r2d2% ls -l /usr/local/argus/com_argus.archive/2005/04/20
total 1457296
-rw-r--r--  1 argus 47398649 Apr 20 01:01 com_argus.2005.04.20.00.00.00.0.gz
-rw-r--r--  1 argus 40549752 Apr 20 02:01 com_argus.2005.04.20.01.00.00.0.gz
-rw-r--r--  1 argus 31801736 Apr 20 03:01 com_argus.2005.04.20.02.00.00.0.gz
-rw-r--r--  1 argus 31152588 Apr 20 04:01 com_argus.2005.04.20.03.00.00.0.gz
-rw-r--r--  1 argus 31198981 Apr 20 05:01 com_argus.2005.04.20.04.00.00.0.gz
-rw-r--r--  1 argus 35674025 Apr 20 06:01 com_argus.2005.04.20.05.00.00.0.gz
-rw-r--r--  1 argus 34782229 Apr 20 07:01 com_argus.2005.04.20.06.00.00.0.gz
-rw-r--r--  1 argus 55357136 Apr 20 08:02 com_argus.2005.04.20.07.00.00.0.gz
-rw-r--r--  1 argus 75094988 Apr 20 09:03 com_argus.2005.04.20.08.00.00.0.gz
-rw-r--r--  1 argus 74729045 Apr 20 10:03 com_argus.2005.04.20.09.00.00.0.gz
-rw-r--r--  1 argus 82441470 Apr 20 11:03 com_argus.2005.04.20.10.00.00.0.gz
-rw-r--r--  1 argus 88080085 Apr 20 12:03 com_argus.2005.04.20.11.00.00.0.gz
-rw-r--r--  1 argus 83748537 Apr 20 13:03 com_argus.2005.04.20.12.00.00.0.gz
-rw-r--r--  1 argus 88864172 Apr 20 14:03 com_argus.2005.04.20.13.00.00.0.gz
-rw-r--r--  1 argus 82974619 Apr 20 15:03 com_argus.2005.04.20.14.00.00.0.gz
-rw-r--r--  1 argus 81384032 Apr 20 16:03 com_argus.2005.04.20.15.00.00.0.gz
-rw-r--r--  1 argus 82110545 Apr 20 17:03 com_argus.2005.04.20.16.00.00.0.gz
-rw-r--r--  1 argus 75653462 Apr 20 18:03 com_argus.2005.04.20.17.00.01.0.gz
-rw-r--r--  1 argus 66415935 Apr 20 19:02 com_argus.2005.04.20.18.00.00.0.gz
-rw-r--r--  1 argus 63101783 Apr 20 20:02 com_argus.2005.04.20.19.00.00.0.gz
-rw-r--r--  1 argus 62455516 Apr 20 21:02 com_argus.2005.04.20.20.00.00.0.gz
-rw-r--r--  1 argus 59378201 Apr 20 22:02 com_argus.2005.04.20.21.00.00.0.gz
-rw-r--r--  1 argus 61168178 Apr 20 23:02 com_argus.2005.04.20.22.00.00.0.gz
-rw-r--r--  1 argus 55868584 Apr 21 00:02 com_argus.2005.04.20.23.00.00.0.gz

and we will see what happens (this is a B and about 16 Cs at about 35 megs
per second). But I expect it will take a while to complete.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada