ARGUS Binary Size

James Grace jgrac002 at fiu.edu
Thu Aug 7 12:21:14 EDT 2014 

Hi Carter,

In reality, we are only interested in Layer2 information (VLAN, MAC, etc.),
with some basic Layer3 stuff such as Src/Dst IP address, and then we use
ralabel to add on ASN information.

What would be the best argus flags to remove anything beyond this?

Thanks,
-james



On Mon, Aug 4, 2014 at 4:18 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey James,
> ~2M records should run around 0.5-1G bytes of flow records,
> depending on the types of flows.  Run this:
>
>    % racount -M proto -r argus.13.50
>
> That will give you some idea of the mix. Also if there are
> VLAN tags, MPLS labels, they add a little bit to each record.
> TCP records generate the most data to store, so if you have
> a lot of them, then 1G may not be outrageous for 2M flow
> records.
>
> Argus records compress well, so gzipping them may make you
> happier.  All the ra* programs can read compressed argus
> data files, so that may be of help.
>
> If you aren’t interested in TCP loss and performance data,
> you maybe able to reduce the binary sizes by stripping out
> the ‘net’ DSR.
>
>    % ra -r argus.13.50 -M dsrs="-net” -w /tmp/argus.13.50
>
> and compare the sizes.  The Network DSR has a lot of good
> stuff in it, but if you’re wanting to get the record size
> down, that may help.
>
> Carter
>
>
> On Aug 4, 2014, at 4:02 PM, James Grace <jgrac002 at fiu.edu> wrote:
>
> Carter,
>
> Here is the flow records for a 5 minute trace:
>
> /flows/South/2014/07/31$ racount -r argus.13.50
>
> racount   records     total_pkts     src_pkts       dst_pkts
> total_bytes        src_bytes          dst_bytes
>
> sum   1764263     35097518       24751551       10345967
> 43920187649        30233499247        13686688402
>
> I'm currently not running argus off of an argus.conf -- I imagine it's
> using default values.
>
>
> Thanks,
>
> -james
>
>
>
>
> On Mon, Aug 4, 2014 at 3:58 PM, Carter Bullard <carter at qosient.com> wrote:
>
>> Hey James,
>> Could be you’re seeing a lot of flows.  How many flow records are being
>> stored?
>>
>>    % racount -r argus.data.file.5m
>>
>> Depending on the configuration, a flow record can be anywhere from 100-1K
>> bytes
>> per record, on the average.  Argus output size is not sensitive to packet
>> size,
>> except when its capturing user data. This is controlled by the
>> ARGUS_CAPTURE_DATA_LEN variable in the /etc/argus.conf file, if you have
>> one...
>>
>> What is that set to ????
>>
>> Carter
>>
>> On Aug 4, 2014, at 3:50 PM, James Grace <jgrac002 at fiu.edu> wrote:
>>
>> > Good afternoon List,
>> >
>> > I've been collecting traces using argus and rastream off of a
>>  DAG8.1SX.  The link is running right around 2.3Gb/s.  I've been looking
>> into the argus.conf manpage to see if there is a way to limit the packet
>> length stored by rastream or argus.
>> >
>> > Right now, if I run argus and rastream with these flags"
>> >
>> > #argus -d -i dag0 -P 561
>> >
>> > #rastream -S localhost -M time 5m -w /flows/South/%Y/%m/%d/argus.%H.%M
>> -D 3&
>> >
>> > I'm getting rather large binaries for 5 minutes -- right around 1GB.  I
>> have a feeling its grabbing all 9000bytes of the jumbo frame. Is there a
>> workaround for this?
>> >
>> > Thanks a bunch!
>> >
>> > James
>> >
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140807/71f631c0/attachment.html>

More information about the argus mailing list