ARGUS Binary Size

David Edelman dedelman at iname.com
Thu Aug 7 23:50:43 EDT 2014 

There are strange things done in the midnight sun by config files that hang
around waiting for a trusting soul.

I suggest that you try adding ­X as the first item in your command line just
to be sure that someone, sometime didn¹t configure /etc/argus to capture
2048 bytes of user data or something else that takes up space.

‹Dave




From:  James Grace <jgrac002 at fiu.edu>
Date:  Monday, August 4, 2014 at 8:02 PM
To:  Carter Bullard <carter at qosient.com>
Cc:  Argus <argus-info at lists.andrew.cmu.edu>
Subject:  Re: [ARGUS] ARGUS Binary Size

Carter, 

Here is the flow records for a 5 minute trace:

/flows/South/2014/07/31$ racount -r argus.13.50

racount   records     total_pkts     src_pkts       dst_pkts
total_bytes        src_bytes          dst_bytes

sum   1764263     35097518       24751551       10345967       43920187649
30233499247        13686688402

I'm currently not running argus off of an argus.conf -- I imagine it's using
default values. 



Thanks, 

-james




On Mon, Aug 4, 2014 at 3:58 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey James,
> Could be you¹re seeing a lot of flows.  How many flow records are being
> stored?
> 
>    % racount -r argus.data.file.5m
> 
> Depending on the configuration, a flow record can be anywhere from 100-1K
> bytes
> per record, on the average.  Argus output size is not sensitive to packet
> size,
> except when its capturing user data. This is controlled by the
> ARGUS_CAPTURE_DATA_LEN variable in the /etc/argus.conf file, if you have
> one...
> 
> What is that set to ????
> 
> Carter
> 
> On Aug 4, 2014, at 3:50 PM, James Grace <jgrac002 at fiu.edu> wrote:
> 
>> > Good afternoon List,
>> >
>> > I've been collecting traces using argus and rastream off of a  DAG8.1SX.
>> The link is running right around 2.3Gb/s.  I've been looking into the
>> argus.conf manpage to see if there is a way to limit the packet length stored
>> by rastream or argus.
>> >
>> > Right now, if I run argus and rastream with these flags"
>> >
>> > #argus -d -i dag0 -P 561
>> >
>> > #rastream -S localhost -M time 5m -w /flows/South/%Y/%m/%d/argus.%H.%M -D
>> 3&
>> >
>> > I'm getting rather large binaries for 5 minutes -- right around 1GB.  I
>> have a feeling its grabbing all 9000bytes of the jumbo frame. Is there a
>> workaround for this?
>> >
>> > Thanks a bunch!
>> >
>> > James
>> >
> 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140808/4d9382ea/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5811 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140808/4d9382ea/attachment.bin>

More information about the argus mailing list