Interesting things to look for in the current 3.0 code ...
Carter Bullard
carter at qosient.com
Thu Aug 16 16:43:59 EDT 2007
OK, I am now getting leaks here, so I'm on this (could be just the
user data buffers).
Carter
On Aug 16, 2007, at 4:30 PM, Peter Van Epp wrote:
> On Thu, Aug 16, 2007 at 02:23:37PM -0400, Carter Bullard wrote:
>> Hey Peter,
>> So I've uploaded new server and clients-rc.48.
>> ftp://qosient.com/dev/argus-3.0/argus-3.0.0.tar.gz
>> ftp://qosient.com/dev/argus-3.0/argus-clients-3.0.0.rc.48.tar.gz
>>
>> many changes for memory issues, and fixes for threads. if you have
>> any problems, give the un-threaded versions a run (remove ./.threads
>> and ./configure) and see if that changes anything, and definitely
>> send any issues to the mailing list!!!!!
>> I think it has a chance to fix your timestamp problem, but that
>> may just
>> be wishful thinking.
>>
>> Hope all is most excellent, and that this fixes something ;o)
>>
>> Carter
>>
>
> Installed and running, doesn't seem to be a lot of change (although
> the out of order packets don't look to be in error either, just late).
>
> argus.3.0:
>
> 07-08-16 13:08:10 e s tcp 59.115.230.14.3970 -
> > 142.58.57.8.445 2 0
> 124 0 REQ
> 07-08-16 13:07:51 e d tcp 142.58.142.71.1063 -
> > 209.85.201.189.80 4 4 1796
> 1000 CON
> 07-08-16 12:55:52 e udp 172.180.44.12.64406 <-
> > 199.60.7.184.6775 1 1
> 69 93 CON
> 07-08-16 13:08:03 e tcp 83.167.110.141.2160 -
> > 206.12.16.134.3127 3 2 216
> 122 CON
>
> (note the out of order flow from 12:55:52)
>
> test4:/var/log/argus vanepp$ ra -r /archive/argus3/
> com_argus.archive/2007/08/16/com_argus.2007.08.16.12.00.00.0.gz -nn
> host 199.60.7.184 and host 172.180.44.12
> 07-08-16 12:45:04 e 17 172.180.44.12.64406 <-
> > 199.60.7.184.6775 1 1
> 73 93 CON
> test4:/var/log/argus vanepp$ ra3 -r com_argus -n host 199.60.7.184
> and host 172.180.44.12
> 07-08-16 12:55:52 e udp 172.180.44.12.64406 <-
> > 199.60.7.184.6775 1 1
> 69 93 CON
>
> the packet is out of order but not duplicated. It just seems to have
> been flushed late for some reason.
>
> 2.0.6 looking at the same link on a regen tap:
>
> vanepp at sniffer:/var/log/argus> ra -r /usr/local/argus/
> com_argus.archive/2007/08/16/com_argus.2007.08.16.12.00.00.0.gz -nn
> host 199.60.7.184 and host 172.180.44.12
> ... (the 3.0 one only started around here)
> 16 Aug 07 12:45:04 udp 199.60.7.184.6775 <->
> 172.180.44.12.64406 1 1 93 73 CON
> 16 Aug 07 12:55:52 udp 199.60.7.184.6775 <->
> 172.180.44.12.64406 1 1 93 69 CON
>
> so 3.0 has picked up the correct flows, it just aged one out oddly
> late and
> apparantly out of order. Presumably radium or racluster would fix
> this up and
> that may be what should happen (i.e. this isn't a problem at all :-)).
> More of a problem is memory usage on the sensor:
>
> ps auxwwwww | grep argus
> root 6496 5.3 0.2 21312 8612 ? SLsl 12:42 0:00
> argus -dJR -P 560 -i eth0 -i eth1 -U 512 -m -F /scratch/argus.conf
> ...
> hcids:/scratch # ps auxwwwww | grep argus
> root 6496 4.6 0.3 88904 15432 ? SLsl 12:42 0:00
> argus -dJR -P 560 -i eth0 -i eth1 -U 512 -m -F /scratch/argus.conf
> ...
> hcids:/scratch # ps auxwwwww | grep argus
> root 6496 4.7 7.1 352800 279772 ? SLsl 12:42 0:15
> argus -dJR -P 560 -i eth0 -i eth1 -U 512 -m -F /scratch/argus.conf
> ...
> hcids:/scratch # ps auxwwwww | grep argus
> root 6496 5.0 15.4 661460 610060 ? SLsl 12:42 0:35
> argus -dJR -P 560 -i eth0 -i eth1 -U 512 -m -F /scratch/argus.conf
> ...
> hcids:/scratch # ps auxwwwww | grep argus
> root 6496 5.3 55.0 2218896 2168168 ? SLsl 12:42 2:22
> argus -dJR -P 560 -i eth0 -i eth1 -U 512 -m -F /scratch/argus.conf
>
> (this over the course of less than an hour so far). Fairly soon it
> will start
> swapping as there is only 4 gigs physical in the box.
> 2.0.6 by contrast looking at the same link:
>
> root 944 4.9 20.5 215068 214168 ?? Ss 22Jun07 3021:19.78 /
> usr/local/bin/argus_bpf -dJR -P 561 -i em2 -i em3
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
More information about the argus
mailing list