Direction and IP/TCP timeout settings

Carter Bullard carter at qosient.com
Mon Jul 15 16:13:15 EDT 2013 

What percent utilization do you have for argus ?
Argus could be running out of steam and dropping packets.
So, if you have snort running on 20+ queues to get the performance up,
why not try to do that with argus ?

Carter

On Jul 15, 2013, at 3:49 PM, Craig Merchant <cmerchant at responsys.com> wrote:

> I recompiled argus after making the change to ArgusModeler.h.  Judging by the memory use, Argus is now able to use a much bigger cache for connections.  Thanks!
>  
> It hasn’t had any impact on the direction problem though.
>  
> When argus runs on top of the pfdnacluster_master app, it can’t figure out the direction about 60%+ of the time.  If I run Argus directly on the dna0 interface, it can’t figure out the direction about 40% of the time.  The pfcount utility that comes with pf_ring says that there is less than 0.1% packet loss when running on pfdnacluster_master and no packet loss when running on dna0 itself.
>  
> The interface isn’t dropping anything either:
>  
> dna0      Link encap:Ethernet  HWaddr 00:E0:ED:1F:60:38
>           inet6 addr: fe80::2e0:edff:fe1f:6038/64 Scope:Link
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:97888412645 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:63700614828375 (57.9 TiB)  TX bytes:0 (0.0 b)
>           Memory:feaa0000-feac0000
>  
> Can you think of why Argus might have issues with pf_ring and DNA?  Any suggestions for working around it?
>  
> Thx.
> 
> Craig
>  
>  
>  
>  
>  
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: Saturday, July 13, 2013 7:38 AM
> To: Craig Merchant
> Subject: Re: [ARGUS] Direction and IP/TCP timeout settings
>  
> Hey Craig,
> So I capped the largest timeout to be 5 minutes.  Easy fix, really sorry for the inconvenience.
>  
> The per flow timeout value is an unsigned short, (16bits), so you can use this patch
> to set timeouts up to 65534, in the file ./argus/ArgusModeler.h.
>  
> osiris:argus carter$ diff ./argus/ArgusModeler.h ./argus/ArgusModeler.h.orig
> 84c84
> < #define ARGUSTIMEOUTQS                  65534
> ---
> > #define ARGUSTIMEOUTQS                  301
>  
>  
> Carter
>  
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E 57th Street Suite 12D
> New York, New York  10022
> 
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>  
> On Jul 12, 2013, at 2:15 PM, Carter Bullard <carter at qosient.com> wrote:
> 
> 
> Hey Craig,
> I haven't had a chance to look at the code.
> Let me see this afternoon, if its suppose to be working or not.
> Carter
> 
> Carter Bullard, QoSient, LLC
> 150 E. 57th Street Suite 12D
> New York, New York 10022
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
> 
> On Jul 12, 2013, at 1:35 PM, Craig Merchant <cmerchant at responsys.com> wrote:
> 
> I’ve been running Argus for about 18 hours now with a two hour timeout setting and there hasn’t been any change in the number of flows that it is unsure of the direction…
>  
> Let me know if there is anything I can do to help test this…
>  
> C
>  
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: Friday, July 12, 2013 6:37 AM
> To: Craig Merchant
> Cc: Argus (argus-info at lists.andrew.cmu.edu)
> Subject: Re: [ARGUS] Direction and IP/TCP timeout settings
>  
> Hmmmm, do the new timeouts change the direction problem?
> That will be the real test, if the memory issues aren't showing themselves,
> the cool, as long as your traffic looks better.
>  
> If not, I'll take a look.  Never know where things break down.
> In some cases, we'll try to make the direction indicator match the traffic,
> with the central character indicating the confidence.  So, when there is
> a " ? ", the < or > should change to indicate direction of traffic, since
> the assignment of flow direction isn't " on ".
>  
> Carter
>  
>  
> On Jul 11, 2013, at 7:28 PM, Craig Merchant <cmerchant at responsys.com> wrote:
> 
> 
> 
> Hey, Carter…
>  
> We’re finding that for about 70% of our flows, Argus can’t figure out the direction.  From previous posts, it would seem that the 60 second TCP session timeout is too short.  If I understand correctly, a flow longer than 60 seconds will have its session timeout in the cache and then argus can’t really determine what the direction is.
>  
> The argus.conf file warns of the hit on memory if those settings are adjusted from the defaults.  I’ve been steadily increasing the TCP and IP timeout values and watching to see if memory consumption jumps up dramatically or if we’re seeing less events where the direction is uncertain.
>  
> I’ve gone as high up as two hour session timeout.  We do something like 2.5-8 Gbps 24 hours a day, so I would expect to see a huge increase in Argus memory consumption when increase the timeout value.  The machine has like 64 GB of memory and top says argus is only using .2%. 
>  
> The settings look like:
>  
> ARGUS_IP_TIMEOUT=3600
> ARGUS_TCP_TIMEOUT=7200
> #ARGUS_ICMP_TIMEOUT=5
> #ARGUS_IGMP_TIMEOUT=30
> #ARGUS_FRAG_TIMEOUT=5
> #ARGUS_ARP_TIMEOUT=5
> #ARGUS_OTHER_TIMEOUT=30
>  
> Am I doing something wrong here?  Is there some other setting I need to enable to increase that timeout value?
>  
> Also, what’s the difference between a direction value of ?> vs <?>?
>  
> Thanks!
>  
> Craig
>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130715/e7a075ce/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130715/e7a075ce/attachment.bin>

More information about the argus mailing list