Out of Memory Reading pcap file with Argus 3.0.5.11 (and 3.0.5.10)

Carter Bullard carter at qosient.com
Mon Mar 12 15:08:04 EDT 2012 

Hey Dave,
Hmmm, I process terabytes of packets without seeing this, so it
maybe something else, possibly a poor configuration in your 
/etc/argus.conf file, or a packet that has a timestamp that is
wayyyyyyy into the future, that is gumming up the works.

So, contents of your /etc/argus.conf file may help, and how
are you calling argus on the command-line ?

Carter

On Mar 10, 2012, at 2:31 PM, Dave Edelman wrote:

> I frequently use argus to read a pcap file and write it so that I can run the argus clients on the flows. It looks like somewhere between 3.0.3.16 and 3.0.5.10 something changed in a way that consumes enough memory that I can no longer do this with one of my typical 200 MB pcap files. The same thing happens on 3.0.5.11 and I don’t have any of the intervening versions to figure out where it actually started. The problem occurs on all eight of my reference pcap files (they are all 200MB depending on how you count MB)
>  
> The problem is related to the size of the pcap file and I’m still experimenting to determine at what size this triggers. I can provide the pcap file if that helps.
>  
> --Dave
>  
> ls -l data0.pcap
> -rw-r--r-- 1 root root 200000047 2012-03-10 18:43 data0.pcap
> ls -lh data0.pcap
> -rw-r--r-- 1 root root 191M 2012-03-10 18:43 data0.pcap
>  
> /layered_products/argus-3.0.3.16/bin/argus -X -U 1024 -r data0.pcap  -w argusmnew.argus
> /layered_products/argus-3.0.5.11/bin/argus -X -U 1024 -r data0.pcap  -w argusmnew.argus
> out of memory [28413]
> ^C^C^C^Z
> [1]+  Stopped                 /layered_products/argus-3.0.5.11/bin/argus -X -U 1024 -r data0.pcap -w argusmnew.argus
> kill -9 %1
>  
> System:  Linux snmsdev5 2.6.27.24-170.2.68.fc10.i686.PAE #1 SMP Wed May 20 22:58:30 EDT 2009 i686 i686 i386 GNU/Linux
> Arch:    i686
>  
> Paths:    /usr/local/sbin/argus /usr/local/bin/ra /usr/bin/make /usr/bin/gmake /usr/lib/ccache/gcc /usr/lib/ccache/cc
>  
> ARGUS:   Argus Version 3.0.5.11
> RA:      Ra Version 3.0.5.35
>  
>  
> GCC:     Using built-in specs.
> Target: i386-redhat-linux
> Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-bootstrap --enable-shared --enable-threads=posix --enable-
> checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk --disable-dssi --enable-plugin --with-java-ho
> me=/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre --enable-libgcj-multifile --enable-java-maintainer-mode --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --disable-libjava-multilib --with-cpu=generic --build=i386-redhat
> -linux
> Thread model: posix
> gcc version 4.3.2 20081105 (Red Hat 4.3.2-7) (GCC)
>  
> LIBC:
> lrwxrwxrwx 1 root root 11 2009-06-23 13:30 /lib/libc.so.6 -> libc-2.9.so
> -rwxr-xr-x 1 root root 1809672 2008-12-08 13:33 /lib/libc-2.9.so
> -rw-r--r-- 1 root root 3199504 2008-12-08 13:16 /usr/lib/libc.a
> -rw-r--r-- 1 root root 238 2008-12-08 13:00 /usr/lib/libc.so
>  
>  
> libpcap.so.0.9.8
>  
>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120312/70572eab/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120312/70572eab/attachment.bin>

More information about the argus mailing list