Argus 3.0.7.2 vs. 3.0.6.1

Carter Bullard carter at qosient.com
Tue Jun 18 09:07:20 EDT 2013 

Great !!!  Seems that time delay snuck in while testing.
Fixed in argus-3.0.7.3 !!! Going up later today tomorrow !!
Carter


On Jun 18, 2013, at 6:04 AM, Terry Burton <tez at terryburton.co.uk> wrote:

> On 17 June 2013 19:28, Carter Bullard <carter at qosient.com> wrote:
>> Can you test your argus-3.0.7.x with this patch?
> 
> Hi Carter,
> 
> I've encountered the same issue. The patch recovers the capture rate for me:
> 
> -rw-r--r-- 1 argus argus  43458664 Jun 18 11:02 143.210.5.1-10:00:00.arg
> -rw-r--r-- 1 argus argus  41898052 Jun 18 11:02 143.210.5.1-10:05:00.arg
> -rw-r--r-- 1 argus argus  45722288 Jun 18 11:02 143.210.5.1-10:10:00.arg
> -rw-r--r-- 1 argus argus  43402576 Jun 18 11:02 143.210.5.1-10:15:00.arg
> -rw-r--r-- 1 argus argus  42458196 Jun 18 11:02 143.210.5.1-10:20:00.arg
> -rw-r--r-- 1 argus argus  39494248 Jun 18 11:02 143.210.5.1-10:25:00.arg
> -rw-r--r-- 1 argus argus  76119872 Jun 18 11:02 143.210.5.1-10:30:00.arg
> -rw-r--r-- 1 argus argus 230249116 Jun 18 11:02 143.210.5.1-10:35:00.arg
> -rw-r--r-- 1 argus argus 236756028 Jun 18 11:02 143.210.5.1-10:40:00.arg
> -rw-r--r-- 1 argus argus 235017880 Jun 18 11:02 143.210.5.1-10:45:00.arg
> 
> Plot attached...
> 
> 
> Thanks,
> 
> Terry
> 
> 
>> ==== //depot/argus/argus/argus/ArgusSource.c#108 -
>> /Volumes/Users/carter/argus/argus/argus/ArgusSource.c ====
>> 3848,3849d3847
>> <                                                 struct timespec tsbuf =
>> {0, 50000}, *ts = &tsbuf;
>> <                                                 nanosleep(ts, NULL);
>> 
>> It removes what may be a bug, were we could sleep for 50 uSec every packet,
>> under some conditions?
>> Carter
>> 
>> 
>> On Jun 12, 2013, at 2:51 AM, Jesper Skou Jensen
>> <jesper.skou.jensen at uni-c.dk> wrote:
>> 
>> Hi Carter,
>> 
>> At the time of capture, I had Argus running on two different machines, both
>> receiving the traffic from a Cisco span/monitor port. Bandwidth usage
>> (tested with the program nload) on the ports were the same at the time of
>> capture, which leads me to think that it's Argus 3.0.7 that had some issues.
>> 
>> If it helps. The old 3.0.6 hovers around 30% CPU usage, while the new is way
>> down at 10%. At first I thought WOW, GREAT performance improvments, but I
>> guess it was too good to be true. :-/
>> 
>> I have also tested both versions of Argus on the same machine and they had
>> the same CPU usage numbers.
>> 
>> As mentioned I also compared ragraph's. On 3.0.7 they were WAY down at about
>> 1/6th of the usual traffic, until I reinstalled 3.0.6.
>> 
>> Both receiving servers are running Ubuntu 12.04.
>> 
>> 
>> Regards
>> Jesper
>> 
>> On 11-06-2013 16:19, Carter Bullard wrote:
>> 
>> Hey Jesper Skou Jensen,
>> So are you reading multiple interfaces at the same time?
>> 
>> We've got reports of very poor performance when we're binding or
>> dup'ing multiple interfaces, in some architectures.
>> 
>> If that's not it, there are a lot of new features in argus-3.0.7.x,
>> some of these maybe eating a lot of cycles.  If that's not it,
>> how are you running your comparisons?  Two argi on the same machine,
>> and interface?  Are you using PF_RING ???
>> 
>> This is important, as performance seems to have degraded for
>> multiple sites, so hopefully we can figure this out…..
>> 
>> Carter
>> 
>> 
>> On Jun 11, 2013, at 4:59 AM, Jesper Skou Jensen
>> <jesper.skou.jensen at uni-c.dk> wrote:
>> 
>> Hi guys,
>> 
>> I'm in the process of setting up a new Argus box and decided to try out the
>> newest development version of Argus instead of the somewhat old stable
>> version. BUT... It turns out that the new Argus isn't capturing remotely as
>> much data as the old one, and I'm trying to figure out why this is
>> happening, if it's an error at my end, or it's a bug. I hope you guys can
>> help out.
>> 
>> I have captured two identical streams on one Argus running 3.06.1 and
>> another running 3.0.7.2. Then I have selected the same 1 minute segment
>> (with the -t option) and are now comparing those.
>> 
>> # racount -r argus_3.0.6.1.ra
>> racount   records     total_pkts     src_pkts       dst_pkts total_bytes
>> src_bytes          dst_bytes
>>   sum   250712      3763810        2148834        1614976 2568139699
>> 641553337          1926586362
>> 
>> # racount -r argus_3.0.7.2.ra
>> racount   records     total_pkts     src_pkts       dst_pkts total_bytes
>> src_bytes          dst_bytes
>>   sum   109070      502597         322519         180078 385799043
>> 190698708          195100335
>> 
>> If I use ragraph to draw some graphs it's very clear that the 3.7.0.2
>> captures around 1/6th of the traffic.
>> 
>> Any ideas why?
> <argus.png>

More information about the argus mailing list