Argus Freezes

[Carter Bullard]

Argus will support "-S 0.000001" if you want, but that is too small for
what you are trying to do.

You need to watch how argus is using memory.  top.1 is a good program.
When argus exceeds the available RAM, it will start to swap data pages out
to the swap space of the machine.  That is why it slows down.

How much memory do you have?  

If nothing helps, you will want to go in the source code and modify the 
ARGUS_TCPTIMEOUT value to something small, like 5 or 10, in the file
./argus/ArgusModeler.h.  Be sure and recompile, and try the modified
argus as a test.  These flow idle timeout values are hard coded, but
I can put them in the argus.conf file, if this strategy is useful.

The ability to handle large numbers of flows in a short time is an issue
with any packet monitor that attempts to maintain state of the traffic that
it is monitoring.   We have some bells and whistles around this, maybe
there is a solution.

Carter

On Nov 15, 2010, at 12:51 PM, Sunjeet Singh wrote:

> On 10-11-15 9:45 AM, Carter Bullard wrote:
>> The default is 60 seconds, but you may have an /etc/argus.conf file that overrides this value.
>> Try "-S 1" just to see how it goes.
> 
> With "-S 1", the size of the .argus file increased very rapidly initially, so in about 10 seconds it went up from 0 to 60MB. But then it started clogging and goes up very slowly, like 1 MB in 4-5 seconds.
> 
> 
> Thanks,
> Sunjeet
> 
> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20101115/0a74bc65/attachment.bin>