Argus server exits with "maximum errors exceeded 200000"
Guy Dickinson
guy.dickinson at nyu.edu
Thu Nov 19 14:49:18 EST 2009
Greetings, Argus Developers and Subscribers:
For some time, I have been attempting to troubleshoot an argus server
instance sitting atop a ~1Gbps link which has presented some stability
issues. To date, I have had two issues, one which I think I have solved,
and one which remains open.
The first has been described before in a handful of mailing list
postings, not dissimilar to this one:
http://thread.gmane.org/gmane.network.argus/5010/focus=5011
The argus server would run fine, but after a few hours of connection
from a ra client, it would disconnect without warning with the
"ArgusWriteOutSocket [...] max queue exceeded 100001" error. I was able
to suppress this error by changing the size of ArgusMaxListLength in
ArgusUtil.c:
int ArgusMaxListLength = 1000000;
Now, however, I am beginning to see a different problem with the argus
server. After a day or so of a connected ra client, the argus server
exits with the debug message
argus[7386]: 19 Nov 09 14:19:28.712777 ArgusWriteOutSocket(0xad21b008)
maximum errors exceeded 200000
Could someone shed some light on these errors and what may be causing
them? While running the server with debug set to 1, I see these messages
a few times an hour:
argus[7386]: 19 Nov 09 11:48:12.456533 ArgusNewFlow() flow key is not
correct len equals zero
Client and Server Version: 3.0.2
Network Capture Hardware: Endace DAG 4.5G2
Client and Server OS: RHEL5.4
Capture Bandwidth: 700Mbit/sec - 1Gbps
Both the argus server and ra client are running on some fairly serious
hardware. The former is running on an Endace NinjaBox and the latter on
an 8-core box with an awful lot of memory.
Any help would be greatly appreciated.
Regards,
Guy Dickinson
--
------------------
Guy Dickinson, Network Security Analyst
NYU ITS Technology Security Services
guy.dickinson at nyu.edu
(212) 998-3052
More information about the argus
mailing list