ragraph w/large files
Ken A
ka at pacific.net
Mon Dec 29 12:30:37 EST 2008
Carter Bullard wrote:
> Hey Ken,
> You need to use "-m proto dport".
>
> The destination port field doesn't decode without the protocol
> field having a valid value. That should constrain your graph
> so that it doesn't use much memory at all (max should be, what,
> 64K ports for udp and tcp in memory for each 5m period).
>
perfect. Memory use dropped significantly.
Thanks,
Ken
> Carter
>
> On Dec 29, 2008, at 9:46 AM, Ken A wrote:
>
>> Carter Bullard wrote:
>>> Hey Ken,
>>> When you are graphing objects like ports, you can use the aggregation
>>> features of ragraph() to minimize the memory use. What are the
>>> command line arguments you are using for ragraph?
>>
>>
>> ragraph dbytes sbytes dport -M 5m -t $time -fill -stack -invert -title
>> \"$title\" $log -w $filename $filter
>>
>> So '-m dport' will do the right thing?
>>
>> Ken
>>
>>
>>> Carter
>>> On Dec 24, 2008, at 12:21 PM, Ken A wrote:
>>>> Hey all,
>>>>
>>>> I'm writing a php script to webify using ragraph, but I've run into
>>>> a problem. Giving ragraph a lot of data sometimes results in rabins
>>>> eating nearly all system memory (2gb in this case), or ragraph
>>>> generating a very huge but empty, one color graph image. This
>>>> happens when I tell ragraph to read (-R) and process ("sbytes dbytes
>>>> dport") log directories that total in size ~200mb or more.
>>>>
>>>> I've hacked in a 'max-ports-to-graph' command line argument with 2
>>>> additional lines in ragraph around line 918 and 960:
>>>> if($i > $max_ports_to_graph) { last; }
>>>> This forces ragraph out of it's processing after it's finished a
>>>> certain number of ports and reduces the size of the image generated.
>>>>
>>>> Is this a dumb thing to do, or is there a better way? Typically,
>>>> when I want to look at larger time periods, I am interested in ports
>>>> that will be in the top 100 ports.
>>>>
>>>> Thanks,
>>>>
>>>> Ken
>>>>
>>>>
>>>> --
>>>> Ken Anderson
>>>> http://www.pacific.net/
>>>>
>>>>
>>
>>
>> --
>> Ken Anderson
>> http://www.pacific.net/
>> (707) 468-1005
>>
>
--
Ken Anderson
http://www.pacific.net/
(707) 468-1005
More information about the argus
mailing list