Why does argus use so much disk space?
Kieran Rhysling
krhysling at yahoo.com
Wed Nov 29 12:18:14 EST 2006
Hi,
I'm hoping to replace snort's tcp stream stats with argus to get
information on udp and icmp transactions in addition to tcp.
However, argus 3.0 rc35 uses about 3.0GB per day to capture tcp
alone compared to snort using about 600MB for snort's tcp stream stats.
I have explicitly set ARGUS_CAPTURE_DATA_LEN=0 and left most of the
rest of argus.conf at defaults.
I know I can shrink that 3.0GB to about 1.2GB with bzip2 -9 but it's
still a lot for my server limitations and the amount of historical data
I need to keep online.
Is the big difference in size between snort and argus due solely to all
the additional fields argus captures that snort does not?
Is there a way to customize which fields argus captures for each
transaction? For instance, could I just capture the classic 5 tuple
and src/dst packets and bytes?
Or is argus the wrong tool for what I'm trying to do and I should look
at something like nprobe instead?
By the way, sampling is not an answer for me. I need every transaction.
Thanks in advance,
Kieran
More information about the argus
mailing list