new argus-3.0 features - 64-bit support

Carter Bullard carter at qosient.com
Wed Jun 21 15:21:03 EDT 2006 

Gentle people,
I guess its time to start talking about what argus-3.0 buys you,
so to speak.    There are a large number of features and so I
was going to send mail out about each primary feature, as I got
time to do it.   I'll try to send a few out each day I get to it.

    Argus 3.0 64-bit support
      Argus and its clients are now 64-bit programs, in that they
      can be compiled as native 64-bit applications, data is
      aligned properly for 64 bit operation and memory references
      are appropriate for the architecture.  Argus clients also, now
      supports native 64-bit counters for packet and byte counts,
      addressing a problem for many users, as we would not aggregate
      records if the counters would roll over.

     In order to accomplish this, the basic argus record structure  
had to
     change dramatically, which gave us an opportunity to support
     other important features, like IPv6 flow tracking.   The in memory
     representation of an argus record for the clients is bigger, but
     processing is considerably faster.

     However, when we export the data, to transport it or to store it
     on disk,  argus data fields are compressed.   If you convert a
     standard argus-2.0 record to argus-3.0, it should result in smaller
     files.   This of course will cause someone who is parsing argus-2.0
     binary records, without the aid of the client library,  a world
     of problems when trying to convert to argus-3.0.

     Argus clients can access much larger amounts of memory,
     however, the number of internal buffers that ra* programs will
     use is limited at compile time, so you may generate "ArgusCalloc"
     warnings if you have more than, what is it, 8M records in memory.
     This is an arbitrary number, and can be changed if there is demand.

     Another side effect of the larger in-memory record size, sorting
     large numbers of records will take a little bit of a hit, and so  
the
     clients have new programs to assist in that area.   rasplit() is  
there
     to break files up into smaller chunks so you can process them if
     needed.

     There are issues with porting 64-bit programs, especially between
     big-endian and little-endian platforms, but that should not be a
     problem.   If  you use argus-3.0 and get some really funny numbers,
     in your output, it could be a bug in the 64-bit support, so please
     report any problems that you may encounter.   And of course if
     you try to port argus-3.0 to a new 64-bit platform, please don't
     hesitate to send mail to the list if you have any problems with
     data types.


Hope this is useful, if there is something about 64-bit support that
I should mention, please don't hesitate to comment/criticize/opine/
flame/whatever.

Hope all is most excellent,

Carter

More information about the argus mailing list