Argus memory issues

Carter Bullard carter at qosient.com
Fri Aug 24 21:22:00 EDT 2007 

Hey Russell,
I'd have one argus, and two clients reading the two.  Its much more 
expensive
to have multiple argi, than multiple clients.  If you want to have one 
client get
user data and the other not, that is ideally the job of radium(), just 
need to
figure out how to configure it.

So you were using the small memory image and it had problems after 6 hours?

Carter

Russell Fulton wrote:
> Peter Van Epp wrote:
>   
>> 	Still looking good this morning. It has run all night and is still 
>> under 300K of memory footprint:
>>
>>   
>>     
> Hmmm.... not so here:
>
>   PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
>  9466  snort      25     0 1036M  326M   524      S        3.9       
> 21.7         184:51   1 snort
>  5751  argus     25     0  360M   338M   444      S        2.9       
> 22.5          233:15   1 argus
>  5752  argus     25     0  180M   179M   440      S        2.5       
> 11.9          214:08   1 argus
>
>
> and yes -- I have issues with snort too  :( -- I have decieded that 2.7
> is what actually what put everything on the slippery slope...
>  
>
>
> rful011 at monitor-dmzo rful011]$ cat ~argus/sbin/start_argus
> #!/usr/bin/perl  -w
>
> use POSIX qw(getpid);
> use strict;
>
> my $ARGUS = '/home/argus';
> my $DATA = "$ARGUS/data";
>
> chdir $DATA or die "Can't chdir to $DATA:$!";
>
> if (fork) {
>     exec(split(/\s+/, "$ARGUS/sbin/argus -F $ARGUS/config/argus"));
> } else {
>     exec(split(/\s+/, "$ARGUS/sbin/argus -F $ARGUS/config/argus-userdata"));
> }
> [rful011 at monitor-dmzo rful011]$ ~argus/sbin/argus -h
> Argus Version 3.0.0.smallmemory.rc.2
> usage: argus [options] [-i interface] [filter-expression]
> usage: argus [options]  -r packetfile [filter-expression]
>
> For me the small memory version behaves almost exactly the same as the
> normal argus ????
>
> On Intel FC6.
>
> After running for about 6 hours the both argus processes stop outputing
> data.  Presumable the output thread dies.
>
> Hmmmm...... one question -- I need two output streams one with the first
> 200 bytes of content and the other with just flow data. Is there a
> better way of doing it than running two argii?
>
> Russell
>
>
>
>
>
>

More information about the argus mailing list