Argus Freezes

[Sunjeet Singh]

This is a lot of information. Thanks Carter.

I have 2GBs of RAM. I monitored the argus tool when run with "-S 1" 
using TOP. Interestingly, after a few seconds of executing, the STATUS 
filed of the argus process alternated between RUNNING, SLEEPING and 
STUCK. I'm going to need to further analyze what's going on.

I'll try the tweaks that you suggested and update you with results soon.

Sunjeet


On 10-11-15 10:03 AM, Carter Bullard wrote:
> Argus will support "-S 0.000001" if you want, but that is too small for
> what you are trying to do.
>
> You need to watch how argus is using memory.  top.1 is a good program.
> When argus exceeds the available RAM, it will start to swap data pages out
> to the swap space of the machine.  That is why it slows down.
>
> How much memory do you have?
>
> If nothing helps, you will want to go in the source code and modify the
> ARGUS_TCPTIMEOUT value to something small, like 5 or 10, in the file
> ./argus/ArgusModeler.h.  Be sure and recompile, and try the modified
> argus as a test.  These flow idle timeout values are hard coded, but
> I can put them in the argus.conf file, if this strategy is useful.
>
> The ability to handle large numbers of flows in a short time is an issue
> with any packet monitor that attempts to maintain state of the traffic that
> it is monitoring.   We have some bells and whistles around this, maybe
> there is a solution.
>
> Carter
>
> On Nov 15, 2010, at 12:51 PM, Sunjeet Singh wrote:
>
>> On 10-11-15 9:45 AM, Carter Bullard wrote:
>>> The default is 60 seconds, but you may have an /etc/argus.conf file that overrides this value.
>>> Try "-S 1" just to see how it goes.
>> With "-S 1", the size of the .argus file increased very rapidly initially, so in about 10 seconds it went up from 0 to 60MB. But then it started clogging and goes up very slowly, like 1 MB in 4-5 seconds.
>>
>>
>> Thanks,
>> Sunjeet
>>
>>
>>
>