Interesting things to look for in the current 3.0 code ...

Carter Bullard carter at qosient.com
Fri Aug 17 11:35:08 EDT 2007


Gentle People,
Well never thought I'd see the day that I was happy to see a bug  !!!!!
I have officially detected a leak, using Mac's MallocDebug.
So now I can possibly find it  !!!!  I actually have 600 bytes of leak
and 8K nodes (memory blocks) of missing memory on a running
argus, so now I need to just trace these buggers down.

Argus is structured now so that the source module (the software
that reads packets, classifies them) can be independant of the
flow modeler (finds the flow and tallies the stats) and independent
of the output processor (the software that writes flow records out
of argus to happy reading clients).   Somewhere between the
these modules, I have about 8,000 flow blocks sitting in a queue
some where. Now if, I can find them, we can finally move on!!!!

Hopefully today, I'll have a fix.

Carter


On Aug 17, 2007, at 10:31 AM, Peter Van Epp wrote:

> On Fri, Aug 17, 2007 at 01:54:03AM -0400, Carter Bullard wrote:
>> Hey Peter,
>> Well my leaks are not real, at least on my Mac, or on the 64-bit
>> intel machines,
>> but my traffic loads are not really high, so I could have a very slow
>> memory issue.
>> I'll try to replicate this tomorrow on some other hardware that I
>> have.  I did make
>> some significant changes just now, that could affect both the
>> threaded and non
>> threaded versions.  I changed the way we assign timeout values to
>> each flow.  It
>> was possible, although it appeared highly unlikely, that individual
>> flows may
>> try to use idle timeouts in the 1000's of seconds (this maybe your
>> old timestamp
>> issue, but no promises) or possibly 0, which could put them in a bin
>> that
>> may never time out (except when a matching packet hits that cache
>> then it
>> would come back into the system).  well anyway, I limited the range
>> of timeout
>> values, and possibly that could have an effect.  I've just now  
>> uploaded
>> new argus and clients.
>>
>> I'm going to let argus run all night on my mac running under
>> mallocdebug, which
>> is not a bad program.  At least it showed me that I leaked 32 bytes,
>> but thats it so
>> far ;o)
>>
>> Carter
>>
>
> 	Mine look pretty real but may be just my machine :-). Yesterday's
> argus without threads or user data:
>
> ps auxwwww | grep argus
> root      6698  1.5 96.6 4479328 3802756 ?     DLs  Aug16  12:11  
> argus -dJR -P 560 -i eth0 -i eth1 -m -F /scratch/argus.conf
>
> and ra on the Mac isn't getting any data. I'm just about to try the  
> new argus
> and clients and see what happens.
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
>



More information about the argus mailing list