argus 3.0 clients + name conversion

Carter Bullard carter at qosient.com
Tue Feb 12 11:12:14 EST 2008 

Hey Scott,
The way to do that would be to configure it in your .rarc file. Set

RA_PRINT_NAMES=all

'all' prints hosts, proto, and ports
'proto' prints proto and ports (this is the default)
'ports' prints ports

Everyone was suppressing the DNS lookups, as it slows every
thing waaayyyyy down, so we just made this the default.

To change from whatever the setting is in the .rarc file, you use
the "-n" option, and you can use as many '-n's as you like.
The resolve setting right now is a 4-way toggle (if such a thing
exists), where each -n, goes through the progression, 'all', 'port',  
'proto',
'none', 'all', 'port', 'proto', 'none', ....   With the default being  
'port'.
So to get to 'all', from the default value, you need a -nnn .

I intended to do better than this, but haven't gotten around to it,
so if you have any opinions as to a better scheme, that allows you
to toggle through them quickly for tools like ratop(), then I'd love
to discuss.

The implementation is designed as a non-blocking DNS lookup scheme,
but the non-blocking feature is turned on only by default in ratop().
This allows ratop() to keep on burning, so to speak, when you turn
DNS resolving on, updating the names as the domain names get resolved.
It keeps tallying and reading records, so you don't get any dead time.

I have found that when you turn on DNS resolution, you can potentially
get a lot of DNS flows, which can generate more DNS traffic, as the ra*
programs try to resolve the names of the DNS server's IP addresses.
I tend to type ":f display not port domain" in ratop() when I turn on  
DNS
lookups to keep the DNS requests from filling up the screen.

I have found that on Mac OS X, some of the name resolution routines
such as getservent(), are dreadfully slow.  So things go much faster
when the option is set to "none".

Carter



On Feb 12, 2008, at 8:39 AM, Scott O wrote:

> I'm probably overlooking something simple, but has name conversion  
> changed in Argus 3.0?
>
> I've tried .63 of the clients and the latest on the website, but  
> using ra/racluster/etc. without any -n or additional, does not allow  
> the hosts to be looked up.  Port conversion and disabling of it,  
> seems to work just fine fwiw.
>
> Thoughts?
>
> Thanks,
>
> Scott
>

More information about the argus mailing list