ArgusGenerateNewFlow buf not big enough error

Carter Bullard carter at qosient.com
Fri Sep 18 16:52:27 EDT 2009 

Hey Kevin,
So rasplit may be generating some compressed headers that your  
racluster()
doesn't like, as you are running the racluster() against a file that  
rasplit() generated.

So grab argus-clients-3.0.2.tar.gz from the server:
    ftp://qosient.com/argus/dev/argus-3.0/argus-clients-3.0.2.tar.gz

and lets see if that helps.  If not, could you send a file that  
generates the error?

Carter

On Sep 18, 2009, at 3:09 PM, Kevin & Leah Branch wrote:

> Hi Carter,
>
> They are being read directly from a file.
>
> My argus is run like this
> argus -i $IFACE -P $ARGPORT "$ARGBPF"
> and rasplit pulls the flows from argus and spools them to files like  
> this
>         rasplit -X -S 127.0.0.1:$ARGPORT -M time 1h -w $ARGSTORE/%m/ 
> %d/$IFACE-%H.arg
>
> Thanks,
> Kevin
>
>
> Subject: Re: [ARGUS] ArgusGenerateNewFlow buf not big enough error
> From: carter at qosient.com
> Date: Thu, 17 Sep 2009 16:33:40 -0400
> CC: argus-info at lists.andrew.cmu.edu
> To: klkbranch at hotmail.com
>
> Hey Kevin,
> Hmmmmm. The received flow DSR (the structure that holds the flow  
> identifiers)
> is larger than the canonical "struct ArgusFlow" that we are going to  
> copy into.
> So are the records coming from directory from argus?  radium?   
> processed by
> another ra* program?
>
> Carter
>
> On Sep 17, 2009, at 2:16 PM, Kevin & Leah Branch wrote:
>
> Hi,
>
> I'm starting to see this error multiple times a day when my argus  
> box runs it's hourly racluster process:
>
> racluster[21074]: 10:00:16.981997 ArgusGenerateNewFlow: buf 28 not  
> big enough 48
>
> The command is run like this
>
> /usr/local/bin/racluster -M norep -r $TARGET -w $TARGET.condensed
>
> Any idea what this means?
>
> I run CentOS 5.3 on an i386 platform with a PAE kernel patched with  
> PF_RING.
>
> I'm using argus-3.0.0 and argus-clients-3.0.2.beta.8 on that box at  
> the moment.
>
> From /proc/meminfo
> -------------------
> MemTotal:      4152420 kB
> MemFree:         54144 kB
> Buffers:          7252 kB
> Cached:        2731472 kB
> SwapCached:          0 kB
> Active:        1040472 kB
> Inactive:      2613076 kB
> HighTotal:     3669760 kB
> HighFree:        12036 kB
> LowTotal:       482660 kB
> LowFree:         42108 kB
> SwapTotal:     4192956 kB
> SwapFree:      4192840 kB
> Dirty:          189420 kB
> Writeback:           0 kB
> AnonPages:      914640 kB
> Mapped:          20924 kB
> Slab:            70736 kB
> PageTables:       6472 kB
> NFS_Unstable:        0 kB
> Bounce:              0 kB
> CommitLimit:   6269164 kB
> Committed_AS:  1495352 kB
> VmallocTotal:   509944 kB
> VmallocUsed:    363816 kB
> VmallocChunk:   146008 kB
> HugePages_Total:     0
> HugePages_Free:      0
> HugePages_Rsvd:      0
> Hugepagesize:     2048 kB
>
> Thanks,
> Kevin
>
> Bing brings you health info from trusted sources. Try it now!





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090918/eae8aa8b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090918/eae8aa8b/attachment.bin>

More information about the argus mailing list