Big O Impact of Filters

Jason dn1nj4 at gmail.com
Wed May 14 17:53:33 EDT 2014


Hi Carter,

So I asked a very similar question last year (
http://comments.gmane.org/gmane.network.argus/9110), but I can't seem to
find a response.  I apologize if I'm just missing something or have just
forgotten.

I am trying once again to understand why there is such a significant impact
on the length of time it takes to run racluster when leveraging filters.
Here is the racluster.conf file I am testing:

filter="udp and port domain" model="saddr daddr proto sport dport"
status=600 idle=10
filter="udp" model="saddr daddr proto sport dport" status=600 idle=60
filter="" model="saddr daddr proto sport dport" status=600 idle=600

And here are two runs against a single argus file.  The only difference is
whether or not I'm using the racluster.conf:

$ time racluster -f racluster.conf -r infile.bin -w outfile.bin -M rmon -u
-c "," -m saddr proto sport dport -L0 -Z s -s stime saddr proto sport dport
sbytes runtime dbytes trans state - not arp

real    2m42.935s
user    2m39.274s
sys     0m3.288s

$ time racluster -r infile.bin -w outfile.bin -M rmon -u -c "," -m saddr
proto sport dport -L0 -Z s -s stime saddr proto sport dport sbytes runtime
dbytes trans state - not arp

real    0m1.054s
user    0m0.944s
sys     0m0.108s

Why does the filtered option take exponentially longer?

Thanks!
Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140514/766f02d1/attachment.html>


More information about the argus mailing list