ARGUS Binary Size

Carter Bullard carter at qosient.com
Mon Aug 4 16:18:41 EDT 2014 

Hey James,
~2M records should run around 0.5-1G bytes of flow records,
depending on the types of flows.  Run this:

   % racount -M proto -r argus.13.50

That will give you some idea of the mix. Also if there are
VLAN tags, MPLS labels, they add a little bit to each record.
TCP records generate the most data to store, so if you have
a lot of them, then 1G may not be outrageous for 2M flow
records.

Argus records compress well, so gzipping them may make you
happier.  All the ra* programs can read compressed argus
data files, so that may be of help.

If you aren’t interested in TCP loss and performance data,
you maybe able to reduce the binary sizes by stripping out
the ‘net’ DSR.

   % ra -r argus.13.50 -M dsrs="-net” -w /tmp/argus.13.50

and compare the sizes.  The Network DSR has a lot of good
stuff in it, but if you’re wanting to get the record size
down, that may help.

Carter


On Aug 4, 2014, at 4:02 PM, James Grace <jgrac002 at fiu.edu> wrote:

> Carter, 
> 
> Here is the flow records for a 5 minute trace:
> 
> /flows/South/2014/07/31$ racount -r argus.13.50
> 
> racount   records     total_pkts     src_pkts       dst_pkts       total_bytes        src_bytes          dst_bytes
> 
> 
> sum   1764263     35097518       24751551       10345967       43920187649        30233499247        13686688402   
> 
> I'm currently not running argus off of an argus.conf -- I imagine it's using default values. 
> 
> 
> 
> Thanks, 
> 
> -james
> 
> 
> 
> 
> 
> On Mon, Aug 4, 2014 at 3:58 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey James,
> Could be you’re seeing a lot of flows.  How many flow records are being stored?
> 
>    % racount -r argus.data.file.5m
> 
> Depending on the configuration, a flow record can be anywhere from 100-1K bytes
> per record, on the average.  Argus output size is not sensitive to packet size,
> except when its capturing user data. This is controlled by the
> ARGUS_CAPTURE_DATA_LEN variable in the /etc/argus.conf file, if you have one...
> 
> What is that set to ????
> 
> Carter
> 
> On Aug 4, 2014, at 3:50 PM, James Grace <jgrac002 at fiu.edu> wrote:
> 
> > Good afternoon List,
> >
> > I've been collecting traces using argus and rastream off of a  DAG8.1SX.  The link is running right around 2.3Gb/s.  I've been looking into the argus.conf manpage to see if there is a way to limit the packet length stored by rastream or argus.
> >
> > Right now, if I run argus and rastream with these flags"
> >
> > #argus -d -i dag0 -P 561
> >
> > #rastream -S localhost -M time 5m -w /flows/South/%Y/%m/%d/argus.%H.%M -D 3&
> >
> > I'm getting rather large binaries for 5 minutes -- right around 1GB.  I have a feeling its grabbing all 9000bytes of the jumbo frame. Is there a workaround for this?
> >
> > Thanks a bunch!
> >
> > James
> >
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140804/40c01937/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140804/40c01937/attachment.sig>

More information about the argus mailing list