Argus memory issues

Peter Van Epp vanepp at sfu.ca
Fri Aug 24 23:29:42 EDT 2007 

On Sat, Aug 25, 2007 at 01:06:22PM +1200, Russell Fulton wrote:
> 
> 
> Peter Van Epp wrote:
> > 	Still looking good this morning. It has run all night and is still 
> > under 300K of memory footprint:
> >
> >   
> Hmmm.... not so here:
> 
>   PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
>  9466  snort      25     0 1036M  326M   524      S        3.9       
> 21.7         184:51   1 snort
>  5751  argus     25     0  360M   338M   444      S        2.9       
> 22.5          233:15   1 argus
>  5752  argus     25     0  180M   179M   440      S        2.5       
> 11.9          214:08   1 argus
> 
> 
> and yes -- I have issues with snort too  :( -- I have decieded that 2.7
> is what actually what put everything on the slippery slope...
>  
> 
> 
> rful011 at monitor-dmzo rful011]$ cat ~argus/sbin/start_argus
> #!/usr/bin/perl  -w
> 
> use POSIX qw(getpid);
> use strict;
> 
> my $ARGUS = '/home/argus';
> my $DATA = "$ARGUS/data";
> 
> chdir $DATA or die "Can't chdir to $DATA:$!";
> 
> if (fork) {
>     exec(split(/\s+/, "$ARGUS/sbin/argus -F $ARGUS/config/argus"));
> } else {
>     exec(split(/\s+/, "$ARGUS/sbin/argus -F $ARGUS/config/argus-userdata"));
> }
> [rful011 at monitor-dmzo rful011]$ ~argus/sbin/argus -h
> Argus Version 3.0.0.smallmemory.rc.2
> usage: argus [options] [-i interface] [filter-expression]
> usage: argus [options]  -r packetfile [filter-expression]
> 
> For me the small memory version behaves almost exactly the same as the
> normal argus ????
> 
> On Intel FC6.
> 
> After running for about 6 hours the both argus processes stop outputing
> data.  Presumable the output thread dies.
> 
> Hmmmm...... one question -- I need two output streams one with the first
> 200 bytes of content and the other with just flow data. Is there a
> better way of doing it than running two argii?
> 
> Russell
> 

	My first bet is an endian bug. I'm PPC, both the folks reporting 
problems are on Intel ... Unfortunatly just a little late, if I'd moved a 
fibre I could run on a dual athelon box and see if I see the same problem.
Monday I guess ... I'm still fine and my collector is still happily archiving
data:

vanepp at hcids:~> !ps
ps auxwwww | grep argus
root     23980  5.4  5.4 278036 216052 ?       SLl  Aug23  78:30 argus -JR -P 560 -i eth0 -i eth1 -U 512 -m -F /scratch/argus.conf
vanepp   26611  0.0  0.0   3132   832 pts/0    S+   20:24   0:00 grep argus

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list