Direction and IP/TCP timeout settings

Carter Bullard carter at qosient.com
Fri Jul 12 09:36:56 EDT 2013 

Hmmmm, do the new timeouts change the direction problem?
That will be the real test, if the memory issues aren't showing themselves,
the cool, as long as your traffic looks better.

If not, I'll take a look.  Never know where things break down.
In some cases, we'll try to make the direction indicator match the traffic,
with the central character indicating the confidence.  So, when there is
a " ? ", the < or > should change to indicate direction of traffic, since
the assignment of flow direction isn't " on ".

Carter


On Jul 11, 2013, at 7:28 PM, Craig Merchant <cmerchant at responsys.com> wrote:

> Hey, Carter…
>  
> We’re finding that for about 70% of our flows, Argus can’t figure out the direction.  From previous posts, it would seem that the 60 second TCP session timeout is too short.  If I understand correctly, a flow longer than 60 seconds will have its session timeout in the cache and then argus can’t really determine what the direction is.
>  
> The argus.conf file warns of the hit on memory if those settings are adjusted from the defaults.  I’ve been steadily increasing the TCP and IP timeout values and watching to see if memory consumption jumps up dramatically or if we’re seeing less events where the direction is uncertain.
>  
> I’ve gone as high up as two hour session timeout.  We do something like 2.5-8 Gbps 24 hours a day, so I would expect to see a huge increase in Argus memory consumption when increase the timeout value.  The machine has like 64 GB of memory and top says argus is only using .2%. 
>  
> The settings look like:
>  
> ARGUS_IP_TIMEOUT=3600
> ARGUS_TCP_TIMEOUT=7200
> #ARGUS_ICMP_TIMEOUT=5
> #ARGUS_IGMP_TIMEOUT=30
> #ARGUS_FRAG_TIMEOUT=5
> #ARGUS_ARP_TIMEOUT=5
> #ARGUS_OTHER_TIMEOUT=30
>  
> Am I doing something wrong here?  Is there some other setting I need to enable to increase that timeout value?
>  
> Also, what’s the difference between a direction value of ?> vs <?>?
>  
> Thanks!
>  
> Craig

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130712/662ff003/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130712/662ff003/attachment.bin>

More information about the argus mailing list