Problems with piping Argus output to rasplit
Nick Diel
ndiel at engr.colostate.edu
Fri Mar 21 13:55:32 EDT 2008
I am having some problems piping Argus to rasplit. I have a large set
of pcaps I am turning into argus records. I have about 700gigs of pcaps
with a baseline of 10,000 packets/second and peaks at 17,000 packets/second.
I am using the following command:
mergecap -a -w - pcap/*.pcap | argus -AJR -r - -w - | rasplit -r - -w
argus. -a 4 -M size 1000m
ArgusWarning: argus[21937]: 20 Mar 08 11:36:52.428622
ArgusWriteOutSocket(0xb7eaf008) max queue exceeded 100001
ArgusWarning: argus[21937]: 20 Mar 08 11:36:52.428879
ArgusWriteOutSocket(0xb7eaf008) max queue exceeded 100001
rasplit dies with in 30 seconds of starting (no messages to stderr),
though it has created a 65mb files. racount shows the 65mb file has no
flows. I can't tell if the Argus error message is before or after
rasplit dies.
The disk system is a fairly fast raid 5, 4 cpu cores, 2 gig of ram.
Barely any ram is in use when rasplit dies.
Any thoughts?
Nick
More information about the argus
mailing list