Why does argus use so much disk space?

carter at qosient.com carter at qosient.com
Wed Nov 29 18:55:35 EST 2006


Hey Kieran,
The TCP stats are pretty extensive.  Base sequence numbers, window performance, window sizes, current window bytes, etc...   

Use rastrip() to remove data that you're not interested in.  I remember that there is an outstanding issue with rastrip(), but it should allow you to test stripping the data to the bare bones, so to speak.

Carter

Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: Kieran Rhysling <krhysling at yahoo.com>
Date: Wed, 29 Nov 2006 09:18:14 
To:argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] Why does argus use so much disk space?

Hi,

I'm hoping to replace snort's tcp stream stats with argus to get
information on udp and icmp transactions in addition to tcp.

However, argus 3.0 rc35 uses about 3.0GB per day to capture tcp
alone compared to snort using about 600MB for snort's tcp stream stats.

I have explicitly set ARGUS_CAPTURE_DATA_LEN=0 and left most of the
rest of argus.conf at defaults.

I know I can shrink that 3.0GB to about 1.2GB with bzip2 -9 but it's
still a lot for my server limitations and the amount of historical data
I need to keep online.

Is the big difference in size between snort and argus due solely to all
the additional fields argus captures that snort does not?

Is there a way to customize which fields argus captures for each
transaction? For instance, could I just capture the classic 5 tuple
and src/dst packets and bytes?

Or is argus the wrong tool for what I'm trying to do and I should look
at something like nprobe instead?

By the way, sampling is not an answer for me. I need every transaction.

Thanks in advance,
Kieran



More information about the argus mailing list