ragraph w/large files

[Carter Bullard]

Hey Ken,
You need to use "-m proto dport".

The destination port field doesn't decode without the protocol
field having a valid value.  That should constrain your graph
so that it doesn't use much memory at all (max should be, what,
64K ports for udp and tcp in memory for each 5m period).

Carter

On Dec 29, 2008, at 9:46 AM, Ken A wrote:

> Carter Bullard wrote:
>> Hey Ken,
>> When you are graphing objects like ports, you can use the aggregation
>> features of ragraph() to minimize the memory use.   What are the
>> command line arguments you are using for ragraph?
>
>
> ragraph dbytes sbytes dport -M 5m -t $time -fill -stack -invert - 
> title \"$title\" $log -w $filename $filter
>
> So '-m dport' will do the right thing?
>
> Ken
>
>
>> Carter
>> On Dec 24, 2008, at 12:21 PM, Ken A wrote:
>>> Hey all,
>>>
>>> I'm writing a php script to webify using ragraph, but I've run  
>>> into a problem. Giving ragraph a lot of data sometimes results in  
>>> rabins eating nearly all system memory (2gb in this case), or  
>>> ragraph generating a very huge but empty, one color graph image.  
>>> This happens when I tell ragraph to read (-R) and process ("sbytes  
>>> dbytes dport") log directories that total in size ~200mb or more.
>>>
>>> I've hacked in a 'max-ports-to-graph' command line argument with 2  
>>> additional lines in ragraph around line 918 and 960:
>>> if($i > $max_ports_to_graph) { last; }
>>> This forces ragraph out of it's processing after it's finished a  
>>> certain number of ports and reduces the size of the image generated.
>>>
>>> Is this a dumb thing to do, or is there a better way? Typically,  
>>> when I want to look at larger time periods, I am interested in  
>>> ports that will be in the top 100 ports.
>>>
>>> Thanks,
>>>
>>> Ken
>>>
>>>
>>> -- 
>>> Ken Anderson
>>> http://www.pacific.net/
>>>
>>>
>
>
> -- 
> Ken Anderson
> http://www.pacific.net/
> (707) 468-1005
>