ARGUS Binary Size

Carter Bullard carter at qosient.com
Thu Aug 7 14:16:13 EDT 2014


Hey James,
Try to remove some of the dsrs that argus is providing
and see if you can get away with it.

   ra -r argus.13.50 -w argus.test -M dsrs=“-net,-encaps,-ipattr,-icmp”

You didn’t mention metrics, so I’ll assume that you do want pkt
counts and bytes.

So how are you collecting the records now?  You can use the
“-M dsrs=“-net,….” on a radium command line, or whatever ra*
program your using.

Carter

On Aug 7, 2014, at 12:21 PM, James Grace <jgrac002 at fiu.edu> wrote:

> Hi Carter, 
> 
> In reality, we are only interested in Layer2 information (VLAN, MAC, etc.), with some basic Layer3 stuff such as Src/Dst IP address, and then we use ralabel to add on ASN information. 
> 
> What would be the best argus flags to remove anything beyond this?
> 
> Thanks, 
> -james
> 
> 
> 
> On Mon, Aug 4, 2014 at 4:18 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey James,
> ~2M records should run around 0.5-1G bytes of flow records,
> depending on the types of flows.  Run this:
> 
>    % racount -M proto -r argus.13.50
> 
> That will give you some idea of the mix. Also if there are
> VLAN tags, MPLS labels, they add a little bit to each record.
> TCP records generate the most data to store, so if you have
> a lot of them, then 1G may not be outrageous for 2M flow
> records.
> 
> Argus records compress well, so gzipping them may make you
> happier.  All the ra* programs can read compressed argus
> data files, so that may be of help.
> 
> If you aren’t interested in TCP loss and performance data,
> you maybe able to reduce the binary sizes by stripping out
> the ‘net’ DSR.
> 
>    % ra -r argus.13.50 -M dsrs="-net” -w /tmp/argus.13.50
> 
> and compare the sizes.  The Network DSR has a lot of good
> stuff in it, but if you’re wanting to get the record size
> down, that may help.
> 
> Carter
> 
> 
> On Aug 4, 2014, at 4:02 PM, James Grace <jgrac002 at fiu.edu> wrote:
> 
>> Carter, 
>> 
>> Here is the flow records for a 5 minute trace:
>> 
>> /flows/South/2014/07/31$ racount -r argus.13.50
>> 
>> racount   records     total_pkts     src_pkts       dst_pkts       total_bytes        src_bytes          dst_bytes
>> 
>> 
>> sum   1764263     35097518       24751551       10345967       43920187649        30233499247        13686688402   
>> 
>> I'm currently not running argus off of an argus.conf -- I imagine it's using default values. 
>> 
>> 
>> 
>> Thanks, 
>> 
>> -james
>> 
>> 
>> 
>> 
>> 
>> On Mon, Aug 4, 2014 at 3:58 PM, Carter Bullard <carter at qosient.com> wrote:
>> Hey James,
>> Could be you’re seeing a lot of flows.  How many flow records are being stored?
>> 
>>    % racount -r argus.data.file.5m
>> 
>> Depending on the configuration, a flow record can be anywhere from 100-1K bytes
>> per record, on the average.  Argus output size is not sensitive to packet size,
>> except when its capturing user data. This is controlled by the
>> ARGUS_CAPTURE_DATA_LEN variable in the /etc/argus.conf file, if you have one...
>> 
>> What is that set to ????
>> 
>> Carter
>> 
>> On Aug 4, 2014, at 3:50 PM, James Grace <jgrac002 at fiu.edu> wrote:
>> 
>> > Good afternoon List,
>> >
>> > I've been collecting traces using argus and rastream off of a  DAG8.1SX.  The link is running right around 2.3Gb/s.  I've been looking into the argus.conf manpage to see if there is a way to limit the packet length stored by rastream or argus.
>> >
>> > Right now, if I run argus and rastream with these flags"
>> >
>> > #argus -d -i dag0 -P 561
>> >
>> > #rastream -S localhost -M time 5m -w /flows/South/%Y/%m/%d/argus.%H.%M -D 3&
>> >
>> > I'm getting rather large binaries for 5 minutes -- right around 1GB.  I have a feeling its grabbing all 9000bytes of the jumbo frame. Is there a workaround for this?
>> >
>> > Thanks a bunch!
>> >
>> > James
>> >
>> 
>> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140807/0ec57892/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140807/0ec57892/attachment.sig>


More information about the argus mailing list