ra reads argus file very slow
Zi Hu
zihu at usc.edu
Wed Oct 30 18:34:17 EDT 2013
Hi, Carter,
In my application, I need a simple tool to read what it is in the argus
file, then output certain fields that I am interested in ascii format, such
as srcip, dstip, sport, dport. protocol, ....
I thought the command "ra" is what I need. However, I find it is very slow
to read the argus data with "ra". I did a small experiment: dump the same
argus file (about 2G) with both "ra" and "cat".
Using the "ra" command, it took me about 87 minutes to read the file, while
it took only 40 seconds to dump it with "cat". and also I notice that the
memory keeps growing when I am running "ra".
zihu at proton:~$ time cat
2013-09-01-0700/temp/20130831-223000-hWukIYC-lander4.argus > temp.dat
real 0m39.490s
user 0m0.027s
sys 0m4.204s
zihu at proton:~$ time ra -r
2013-09-01-0700/temp/20130831-223000-hWukIYC-lander4.argus -u > temp.dat
real 87m40.973s
user 86m42.397s
sys 0m56.256s
zihu at proton:~$
So I guess "ra" does more than just reading the argus file, formatting and
outputing the result. Does "ra" keep track of flows in memory so that the
memory keeps growing ?
If "ra" is not the right choice for my application, then what's the right
command for this simple application? Or if we don't have such a tool, I am
thinking of writing one by myself. Could you point me where to start? Any
suggestions are welcomed.
Thanks
-Zi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20131030/3da7b501/attachment.html>
More information about the argus
mailing list