Direction and IP/TCP timeout settings
Craig Merchant
cmerchant at responsys.com
Thu Jul 11 19:28:50 EDT 2013
Hey, Carter...
We're finding that for about 70% of our flows, Argus can't figure out the direction. From previous posts, it would seem that the 60 second TCP session timeout is too short. If I understand correctly, a flow longer than 60 seconds will have its session timeout in the cache and then argus can't really determine what the direction is.
The argus.conf file warns of the hit on memory if those settings are adjusted from the defaults. I've been steadily increasing the TCP and IP timeout values and watching to see if memory consumption jumps up dramatically or if we're seeing less events where the direction is uncertain.
I've gone as high up as two hour session timeout. We do something like 2.5-8 Gbps 24 hours a day, so I would expect to see a huge increase in Argus memory consumption when increase the timeout value. The machine has like 64 GB of memory and top says argus is only using .2%.
The settings look like:
ARGUS_IP_TIMEOUT=3600
ARGUS_TCP_TIMEOUT=7200
#ARGUS_ICMP_TIMEOUT=5
#ARGUS_IGMP_TIMEOUT=30
#ARGUS_FRAG_TIMEOUT=5
#ARGUS_ARP_TIMEOUT=5
#ARGUS_OTHER_TIMEOUT=30
Am I doing something wrong here? Is there some other setting I need to enable to increase that timeout value?
Also, what's the difference between a direction value of ?> vs <?>?
Thanks!
Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130711/b5cdcab8/attachment.html>
More information about the argus
mailing list