argus memory issues

Peter Van Epp vanepp at sfu.ca
Wed Sep 5 12:53:25 EDT 2007 

On Wed, Sep 05, 2007 at 11:34:30AM +1200, Russell Fulton wrote:
> HI
> Is the lastest argus-3.0 supposed to resolve the memory issues?
> 
> 
> I have just put up
> argus-3.0.0.tar.gz
> <ftp://ftp.qosient.com/dev/argus-3.0/argus-3.0.0.tar.gz> 	386 KB
> 31/8/07 	9:38:00 AM
> 
> 
> and it is still using large amounts of memory:
> 
> 20549 argus     25   0  293M 293M   836 R     7.4 19.5   0:28   1 argus
> 20547 argus     25   0 73020  71M   820 R     5.5  4.7   0:27   1 argus
> 20551 argus     15   0  293M 293M   836 S     2.0 19.5   0:03   1 argus
> 20548 argus     15   0 73020  71M   820 S     1.1  4.7   0:03   1 argus
> 
> and this is after about 5 minutes running.
> 
> I recompiled without threads and started only one argus with the same
> results.
> 
> Russell
> 

	I'm just in the process of trying this out here :-). I've reduced my
on campus test host (as opposed to the one on our Internet link downtown 
beside my production 2.0.6 sensor) to a single interface (because I have an
lc - SC fibre issue on my second test machine :-)) to a single fibre (rather
that the usual two) and restarted it it on the PPC machine. Memory isn't 
growing all that fast (nor was it for days with both interfaces connected and
threads enabled) a couple of hundred K in 2 days:

root       379 16.4  1.8 173724 71192 ?        SLl  Sep03 465:35 argus -RJ -P 560 -i eth2 -i eth3 -U 512 -m -F /spare/argus.conf
vanepp    6256  0.0  0.0   3132   832 pts/2    S+   09:31   0:00 grep argus

	I recompiled without .threads and removed one interface (to make it
as identical as possible to my Athelon test box) and am running a base line
capture on the PPC box:

sniffer1:/spare # ps auxwwww | grep argus
root      8868 19.7  0.7  34344 30576 pts/2    SL   09:38   2:17 argus -P 560 -i eth3 -U 512 -m -D2 -F /spare/argus.conf
root      8900  0.0  0.0   3132   832 pts/2    S+   09:50   0:00 grep argus


after coffee (and when its had time to run for a while further) I'll move the
fibre to my dual Athelon test box (with everything else the same, SUSE 10.2
with pf-ring and an Intel gig fibre NIC) and see what it does on the same 
link. If we have an endian issue it should show up. While the link I'm testing
on here is a lot busier than my Internet link, the traffic variety looks to be
a lot less because it uses a lot less memory in argus :-). 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list