Interesting things to look for in the current 3.0 code ...
Peter Van Epp
vanepp at sfu.ca
Thu Aug 16 16:30:09 EDT 2007
On Thu, Aug 16, 2007 at 02:23:37PM -0400, Carter Bullard wrote:
> Hey Peter,
> So I've uploaded new server and clients-rc.48.
> ftp://qosient.com/dev/argus-3.0/argus-3.0.0.tar.gz
> ftp://qosient.com/dev/argus-3.0/argus-clients-3.0.0.rc.48.tar.gz
>
> many changes for memory issues, and fixes for threads. if you have
> any problems, give the un-threaded versions a run (remove ./.threads
> and ./configure) and see if that changes anything, and definitely
> send any issues to the mailing list!!!!!
> I think it has a chance to fix your timestamp problem, but that may just
> be wishful thinking.
>
> Hope all is most excellent, and that this fixes something ;o)
>
> Carter
>
Installed and running, doesn't seem to be a lot of change (although
the out of order packets don't look to be in error either, just late).
argus.3.0:
07-08-16 13:08:10 e s tcp 59.115.230.14.3970 -> 142.58.57.8.445 2 0 124 0 REQ
07-08-16 13:07:51 e d tcp 142.58.142.71.1063 -> 209.85.201.189.80 4 4 1796 1000 CON
07-08-16 12:55:52 e udp 172.180.44.12.64406 <-> 199.60.7.184.6775 1 1 69 93 CON
07-08-16 13:08:03 e tcp 83.167.110.141.2160 -> 206.12.16.134.3127 3 2 216 122 CON
(note the out of order flow from 12:55:52)
test4:/var/log/argus vanepp$ ra -r /archive/argus3/com_argus.archive/2007/08/16/com_argus.2007.08.16.12.00.00.0.gz -nn host 199.60.7.184 and host 172.180.44.12
07-08-16 12:45:04 e 17 172.180.44.12.64406 <-> 199.60.7.184.6775 1 1 73 93 CON
test4:/var/log/argus vanepp$ ra3 -r com_argus -n host 199.60.7.184 and host 172.180.44.12
07-08-16 12:55:52 e udp 172.180.44.12.64406 <-> 199.60.7.184.6775 1 1 69 93 CON
the packet is out of order but not duplicated. It just seems to have
been flushed late for some reason.
2.0.6 looking at the same link on a regen tap:
vanepp at sniffer:/var/log/argus> ra -r /usr/local/argus/com_argus.archive/2007/08/16/com_argus.2007.08.16.12.00.00.0.gz -nn host 199.60.7.184 and host 172.180.44.12
... (the 3.0 one only started around here)
16 Aug 07 12:45:04 udp 199.60.7.184.6775 <-> 172.180.44.12.64406 1 1 93 73 CON
16 Aug 07 12:55:52 udp 199.60.7.184.6775 <-> 172.180.44.12.64406 1 1 93 69 CON
so 3.0 has picked up the correct flows, it just aged one out oddly late and
apparantly out of order. Presumably radium or racluster would fix this up and
that may be what should happen (i.e. this isn't a problem at all :-)).
More of a problem is memory usage on the sensor:
ps auxwwwww | grep argus
root 6496 5.3 0.2 21312 8612 ? SLsl 12:42 0:00 argus -dJR -P 560 -i eth0 -i eth1 -U 512 -m -F /scratch/argus.conf
...
hcids:/scratch # ps auxwwwww | grep argus
root 6496 4.6 0.3 88904 15432 ? SLsl 12:42 0:00 argus -dJR -P 560 -i eth0 -i eth1 -U 512 -m -F /scratch/argus.conf
...
hcids:/scratch # ps auxwwwww | grep argus
root 6496 4.7 7.1 352800 279772 ? SLsl 12:42 0:15 argus -dJR -P 560 -i eth0 -i eth1 -U 512 -m -F /scratch/argus.conf
...
hcids:/scratch # ps auxwwwww | grep argus
root 6496 5.0 15.4 661460 610060 ? SLsl 12:42 0:35 argus -dJR -P 560 -i eth0 -i eth1 -U 512 -m -F /scratch/argus.conf
...
hcids:/scratch # ps auxwwwww | grep argus
root 6496 5.3 55.0 2218896 2168168 ? SLsl 12:42 2:22 argus -dJR -P 560 -i eth0 -i eth1 -U 512 -m -F /scratch/argus.conf
(this over the course of less than an hour so far). Fairly soon it will start
swapping as there is only 4 gigs physical in the box.
2.0.6 by contrast looking at the same link:
root 944 4.9 20.5 215068 214168 ?? Ss 22Jun07 3021:19.78 /usr/local/bin/argus_bpf -dJR -P 561 -i em2 -i em3
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list