Argus 3.0.7.2 vs. 3.0.6.1

Terry Burton tez at terryburton.co.uk
Tue Jun 18 06:04:51 EDT 2013


On 17 June 2013 19:28, Carter Bullard <carter at qosient.com> wrote:
> Can you test your argus-3.0.7.x with this patch?

Hi Carter,

I've encountered the same issue. The patch recovers the capture rate for me:

-rw-r--r-- 1 argus argus  43458664 Jun 18 11:02 143.210.5.1-10:00:00.arg
-rw-r--r-- 1 argus argus  41898052 Jun 18 11:02 143.210.5.1-10:05:00.arg
-rw-r--r-- 1 argus argus  45722288 Jun 18 11:02 143.210.5.1-10:10:00.arg
-rw-r--r-- 1 argus argus  43402576 Jun 18 11:02 143.210.5.1-10:15:00.arg
-rw-r--r-- 1 argus argus  42458196 Jun 18 11:02 143.210.5.1-10:20:00.arg
-rw-r--r-- 1 argus argus  39494248 Jun 18 11:02 143.210.5.1-10:25:00.arg
-rw-r--r-- 1 argus argus  76119872 Jun 18 11:02 143.210.5.1-10:30:00.arg
-rw-r--r-- 1 argus argus 230249116 Jun 18 11:02 143.210.5.1-10:35:00.arg
-rw-r--r-- 1 argus argus 236756028 Jun 18 11:02 143.210.5.1-10:40:00.arg
-rw-r--r-- 1 argus argus 235017880 Jun 18 11:02 143.210.5.1-10:45:00.arg

Plot attached...


Thanks,

Terry


> ==== //depot/argus/argus/argus/ArgusSource.c#108 -
> /Volumes/Users/carter/argus/argus/argus/ArgusSource.c ====
> 3848,3849d3847
> <                                                 struct timespec tsbuf =
> {0, 50000}, *ts = &tsbuf;
> <                                                 nanosleep(ts, NULL);
>
> It removes what may be a bug, were we could sleep for 50 uSec every packet,
> under some conditions?
> Carter
>
>
> On Jun 12, 2013, at 2:51 AM, Jesper Skou Jensen
> <jesper.skou.jensen at uni-c.dk> wrote:
>
> Hi Carter,
>
> At the time of capture, I had Argus running on two different machines, both
> receiving the traffic from a Cisco span/monitor port. Bandwidth usage
> (tested with the program nload) on the ports were the same at the time of
> capture, which leads me to think that it's Argus 3.0.7 that had some issues.
>
> If it helps. The old 3.0.6 hovers around 30% CPU usage, while the new is way
> down at 10%. At first I thought WOW, GREAT performance improvments, but I
> guess it was too good to be true. :-/
>
> I have also tested both versions of Argus on the same machine and they had
> the same CPU usage numbers.
>
> As mentioned I also compared ragraph's. On 3.0.7 they were WAY down at about
> 1/6th of the usual traffic, until I reinstalled 3.0.6.
>
> Both receiving servers are running Ubuntu 12.04.
>
>
> Regards
> Jesper
>
> On 11-06-2013 16:19, Carter Bullard wrote:
>
> Hey Jesper Skou Jensen,
> So are you reading multiple interfaces at the same time?
>
> We've got reports of very poor performance when we're binding or
> dup'ing multiple interfaces, in some architectures.
>
> If that's not it, there are a lot of new features in argus-3.0.7.x,
> some of these maybe eating a lot of cycles.  If that's not it,
> how are you running your comparisons?  Two argi on the same machine,
> and interface?  Are you using PF_RING ???
>
> This is important, as performance seems to have degraded for
> multiple sites, so hopefully we can figure this out…..
>
> Carter
>
>
> On Jun 11, 2013, at 4:59 AM, Jesper Skou Jensen
> <jesper.skou.jensen at uni-c.dk> wrote:
>
> Hi guys,
>
> I'm in the process of setting up a new Argus box and decided to try out the
> newest development version of Argus instead of the somewhat old stable
> version. BUT... It turns out that the new Argus isn't capturing remotely as
> much data as the old one, and I'm trying to figure out why this is
> happening, if it's an error at my end, or it's a bug. I hope you guys can
> help out.
>
> I have captured two identical streams on one Argus running 3.06.1 and
> another running 3.0.7.2. Then I have selected the same 1 minute segment
> (with the -t option) and are now comparing those.
>
> # racount -r argus_3.0.6.1.ra
> racount   records     total_pkts     src_pkts       dst_pkts total_bytes
> src_bytes          dst_bytes
>    sum   250712      3763810        2148834        1614976 2568139699
> 641553337          1926586362
>
> # racount -r argus_3.0.7.2.ra
> racount   records     total_pkts     src_pkts       dst_pkts total_bytes
> src_bytes          dst_bytes
>    sum   109070      502597         322519         180078 385799043
> 190698708          195100335
>
> If I use ragraph to draw some graphs it's very clear that the 3.7.0.2
> captures around 1/6th of the traffic.
>
> Any ideas why?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: argus.png
Type: image/png
Size: 39820 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130618/5f31fdf0/attachment.png>


More information about the argus mailing list