Argus, CPU load and threading

Jesper Skou Jensen jesper.skou.jensen at uni-c.dk
Wed Jun 26 11:00:23 EDT 2013 

Hi guys,

Short version:
In short, am I right to assume that Argus isn't particularly well suited 
for multi core/threads? As in, it doesn't use much more than two cores 
at a time, even if the CPU has many more cores that are idling?

Long version:
I recently upgraded my Argus box from an older Dell (Quad Core Xeon 
E5410 - 2.33GHz) to a brand spanking new HP (2x Octa Core Xeon E5-2650 - 
2GHz), in that process I expected Argus to perform a lot better, but 
that doesn't look like it's the case, and I'm wondering why.

Is Argus very dependent on Hz? I would expect the new CPU to blow the 
old one out of the water.

I still have the old and the new box running, both receiving the same 
mirror/monitor port traffic, and I've tried to compare the two. Both 
boxes are running Argus 3.0.6.1 with the same settings/options at the 
moment - Until I get 3.0.7.3 installed on my new box, having a few 
issues with it not compiling right.

During normal network load, they show a CPU load:
OldBox: 23%
NewBox: 35%
and Argus captures all packets on both servers just fine.

During a heavy network load (DDoS) I have previously noticed the CPU 
load to hover around 180-190% on the old box, unfortunately I haven't 
observed the new box during a DDoS but I'm expecting it to be around the 
same numbers.

NOW for the important part...

It appears that the new box is dropping packets, compared to the old one. :(

The old one does drop packets during a DDoS, I know that for sure, but 
that the new one wouldn't be able to cope is a small mystery to me.

I have compared a few minutes before, during and after the DDoS in question.

:~$ racount -r argusfile.ra_oldbox
racount   records     total_pkts     src_pkts       dst_pkts 
total_bytes        src_bytes          dst_bytes
     sum   6221694     16046917       11623543       4423374 
8917614173         2212376654         6705237519

:~$ racount -r argusfile.ra_newbox
racount   records     total_pkts     src_pkts       dst_pkts 
total_bytes        src_bytes          dst_bytes
     sum   5366008     15231963       10608231       4623732 
8854037128         2159179022         6694858106

ragraph confirms it, there is a noticeable drop in bytes/sec, while 
pkts/sec appears almost the same.

Do you guys have any good ideas/explanations for this behavior?


Regards
Jesper

More information about the argus mailing list