Direction and IP/TCP timeout settings

Carter Bullard carter at qosient.com
Fri Jul 12 16:48:32 EDT 2013 

Hey Craig,
A bunch of things here.  The pf_ring could be an issue...but we need to see the issue first.  So racluster() won't generate ? In the direction field, it has the chance to actually reduce the number.

Argus and racluster will only generate records when there is activity, so 1 packet in a flow, 20 hours later another packet, argus generates 2 records,  racluster, in default mode (no idle timeouts) will generate 1 record.

So we have direction based on a list, RA_LOCAL that the clients can use to determine direction.  Can that work for your needs?

Carter



On Jul 12, 2013, at 4:24 PM, Craig Merchant <cmerchant at responsys.com> wrote:

> I’ll setup wireshark and do some testing…  I did check the stats for the interfaces that argus listens on.  In the data center that is running around 3 Gbps today, there was 0% packet loss.  In the other data center that was doing 8.5 Gbps today, it had 0.3% packet loss.
>  
> I should mention that we’re using racluster to aggregate our flows by saddr, daddr, dport, and  protocol every 5 minutes if that could be having any impact…   We’re also using the DNA/libzero drivers from pf_ring if that could be having any impact.
>  
> I searched over my argus data for flows with a direction of “?>” and summed the duration by saddr, daddr, dport, and protocol and looked at the flows with the highest durations over the last 20 hours.  For the top connection, racluster produced 75 records with a total duration of 3234 seconds.
>  
> I’m not enough of an expert here, but if a flow remains open for 20 hours (even if it isn’t passing data), shouldn’t I see at least one record from racluster for each 5 minute interval?
>  
> How difficult would it be to add a feature to argus that would let us “hard code” directional settings?  I could envision feeding argus a NMAP or Nessus scan or a label file with host/protocol/port information that would tell argus to always consider that to be the destination if argus isn’t sure about the direction.
>  
> I’ll let you know the testing goes.  Thanks again for your consistently quick replies!
>  
> Craig
>  
>  
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: Friday, July 12, 2013 10:54 AM
> To: Craig Merchant
> Subject: Re: [ARGUS] Direction and IP/TCP timeout settings
>  
> Well, its all about seeing the SYN or SYNACK.
>  
> So are these flows all so long lived that they all started before 18 hours?
> If not, are you seeing the SYN and SYNACK and argus is forgetting about it?
> startup a packet capture, and then send some test TCP connections.  Make
> sure they last for a while.  Do an ssh, and let there be an 120 second idle
> time and then start typing again, and see if argus is screwing up.
>  
> The packet capture should have all the packets, and argus should generate
> the same problems just reading that packet file, so hopefully we'll capture
> the error.
>  
> Carter
>  
>  
> On Jul 12, 2013, at 1:35 PM, Craig Merchant <cmerchant at responsys.com> wrote:
> 
> 
> I’ve been running Argus for about 18 hours now with a two hour timeout setting and there hasn’t been any change in the number of flows that it is unsure of the direction…
>  
> Let me know if there is anything I can do to help test this…
>  
> C
>  
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: Friday, July 12, 2013 6:37 AM
> To: Craig Merchant
> Cc: Argus (argus-info at lists.andrew.cmu.edu)
> Subject: Re: [ARGUS] Direction and IP/TCP timeout settings
>  
> Hmmmm, do the new timeouts change the direction problem?
> That will be the real test, if the memory issues aren't showing themselves,
> the cool, as long as your traffic looks better.
>  
> If not, I'll take a look.  Never know where things break down.
> In some cases, we'll try to make the direction indicator match the traffic,
> with the central character indicating the confidence.  So, when there is
> a " ? ", the < or > should change to indicate direction of traffic, since
> the assignment of flow direction isn't " on ".
>  
> Carter
>  
>  
> On Jul 11, 2013, at 7:28 PM, Craig Merchant <cmerchant at responsys.com> wrote:
> 
> 
> 
> Hey, Carter…
>  
> We’re finding that for about 70% of our flows, Argus can’t figure out the direction.  From previous posts, it would seem that the 60 second TCP session timeout is too short.  If I understand correctly, a flow longer than 60 seconds will have its session timeout in the cache and then argus can’t really determine what the direction is.
>  
> The argus.conf file warns of the hit on memory if those settings are adjusted from the defaults.  I’ve been steadily increasing the TCP and IP timeout values and watching to see if memory consumption jumps up dramatically or if we’re seeing less events where the direction is uncertain.
>  
> I’ve gone as high up as two hour session timeout.  We do something like 2.5-8 Gbps 24 hours a day, so I would expect to see a huge increase in Argus memory consumption when increase the timeout value.  The machine has like 64 GB of memory and top says argus is only using .2%. 
>  
> The settings look like:
>  
> ARGUS_IP_TIMEOUT=3600
> ARGUS_TCP_TIMEOUT=7200
> #ARGUS_ICMP_TIMEOUT=5
> #ARGUS_IGMP_TIMEOUT=30
> #ARGUS_FRAG_TIMEOUT=5
> #ARGUS_ARP_TIMEOUT=5
> #ARGUS_OTHER_TIMEOUT=30
>  
> Am I doing something wrong here?  Is there some other setting I need to enable to increase that timeout value?
>  
> Also, what’s the difference between a direction value of ?> vs <?>?
>  
> Thanks!
>  
> Craig
>  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130712/3c5a8c84/attachment.html>

More information about the argus mailing list