Argus 3.0.7.2 vs. 3.0.6.1

Jesper Skou Jensen jesper.skou.jensen at uni-c.dk
Wed Jun 12 02:51:41 EDT 2013 

Hi Carter,

At the time of capture, I had Argus running on two different machines, 
both receiving the traffic from a Cisco span/monitor port. Bandwidth 
usage (tested with the program nload) on the ports were the same at the 
time of capture, which leads me to think that it's Argus 3.0.7 that had 
some issues.

If it helps. The old 3.0.6 hovers around 30% CPU usage, while the new is 
way down at 10%. At first I thought WOW, GREAT performance improvments, 
but I guess it was too good to be true. :-/

I have also tested both versions of Argus on the same machine and they 
had the same CPU usage numbers.

As mentioned I also compared ragraph's. On 3.0.7 they were WAY down at 
about 1/6th of the usual traffic, until I reinstalled 3.0.6.

Both receiving servers are running Ubuntu 12.04.


Regards
Jesper

On 11-06-2013 16:19, Carter Bullard wrote:
> Hey Jesper Skou Jensen,
> So are you reading multiple interfaces at the same time?
>
> We've got reports of very poor performance when we're binding or
> dup'ing multiple interfaces, in some architectures.
>
> If that's not it, there are a lot of new features in argus-3.0.7.x,
> some of these maybe eating a lot of cycles.  If that's not it,
> how are you running your comparisons?  Two argi on the same machine,
> and interface?  Are you using PF_RING ???
>
> This is important, as performance seems to have degraded for
> multiple sites, so hopefully we can figure this out…..
>
> Carter
>
>
> On Jun 11, 2013, at 4:59 AM, Jesper Skou Jensen <jesper.skou.jensen at uni-c.dk> wrote:
>
>> Hi guys,
>>
>> I'm in the process of setting up a new Argus box and decided to try out the newest development version of Argus instead of the somewhat old stable version. BUT... It turns out that the new Argus isn't capturing remotely as much data as the old one, and I'm trying to figure out why this is happening, if it's an error at my end, or it's a bug. I hope you guys can help out.
>>
>> I have captured two identical streams on one Argus running 3.06.1 and another running 3.0.7.2. Then I have selected the same 1 minute segment (with the -t option) and are now comparing those.
>>
>> # racount -r argus_3.0.6.1.ra
>> racount   records     total_pkts     src_pkts       dst_pkts total_bytes        src_bytes          dst_bytes
>>     sum   250712      3763810        2148834        1614976 2568139699         641553337          1926586362
>>
>> # racount -r argus_3.0.7.2.ra
>> racount   records     total_pkts     src_pkts       dst_pkts total_bytes        src_bytes          dst_bytes
>>     sum   109070      502597         322519         180078 385799043          190698708          195100335
>>
>> If I use ragraph to draw some graphs it's very clear that the 3.7.0.2 captures around 1/6th of the traffic.
>>
>> Any ideas why?
>>
>>
>> --
>> Regards
>> Jesper Skou Jensen
>> UNI-C
>>
>

More information about the argus mailing list