Argus memory issues
Peter Van Epp
vanepp at sfu.ca
Mon Aug 20 18:30:58 EDT 2007
On Mon, Aug 20, 2007 at 04:05:10PM -0400, Carter Bullard wrote:
> Hey Peter,
> Oh lets adjust the timeout values, with all things back as you would
> normally run them. The goal here is to understand if your just churning
> through a lot of very short lived flows? The current timeouts are
> pretty
> long (30 secs) and so if your getting 200K flows per second of low
> volume
> flows, then this should bring you back into a healthy range.
>
> If this is useful, then the workaround is very easy, as I can
> put in the logic to give flows with (pkts < 3) a zero timeout value,
> which
> should get your memory back. That is a much easier fix than to enforce
> a small memory foot print.
>
> So in this strategy, argus would hold any flow for the status interval,
> hopefully that is a low number (5 secs is good, as 90% of flows live
> less than 2.5 seconds), and then for low volume flows, we immediately
> deallocate the flow cache.
>
> If that is not good enough, we move to the next step, which is to have
> different memory strategies for different flow types, currently we have
> only one big flow cache no matter what happens.
>
> Carter
>
With #define ARGUS_IPTIMEOUT 0 I still run out of memory:
hcids:/usr/local/src/argus/argus-3.0.0 # ps auxwwww | grep argus
root 25722 4.3 92.4 4348872 3640432 ? DLs 12:38 7:24 argus -d -P 560 -i eth0 -i eth1 -U 512 -m -F /scratch/argus.conf
root 25980 0.0 0.0 3132 832 pts/0 S+ 15:30 0:00 grep argus
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list