Big O Impact of Filters

Carter Bullard carter at qosient.com
Thu May 15 10:20:01 EDT 2014 

Hey Jason,
Found the problem, and its a poor design assumption on my part.
Its a kind of a thrash between the status timer and the idle timer.
This does not affect rabins() or radium(), just racluster().

Fixing it now.

Carter

On May 14, 2014, at 5:53 PM, Jason <dn1nj4 at gmail.com> wrote:

> Hi Carter,
> 
> So I asked a very similar question last year (http://comments.gmane.org/gmane.network.argus/9110), but I can't seem to find a response.  I apologize if I'm just missing something or have just forgotten.
> 
> I am trying once again to understand why there is such a significant impact on the length of time it takes to run racluster when leveraging filters.  Here is the racluster.conf file I am testing: 
> 
> filter="udp and port domain" model="saddr daddr proto sport dport" status=600 idle=10
> filter="udp" model="saddr daddr proto sport dport" status=600 idle=60
> filter="" model="saddr daddr proto sport dport" status=600 idle=600
> 
> And here are two runs against a single argus file.  The only difference is whether or not I'm using the racluster.conf:
> 
> $ time racluster -f racluster.conf -r infile.bin -w outfile.bin -M rmon -u -c "," -m saddr proto sport dport -L0 -Z s -s stime saddr proto sport dport sbytes runtime dbytes trans state - not arp 
>  
> real    2m42.935s 
> user    2m39.274s 
> sys     0m3.288s 
>  
> $ time racluster -r infile.bin -w outfile.bin -M rmon -u -c "," -m saddr proto sport dport -L0 -Z s -s stime saddr proto sport dport sbytes runtime dbytes trans state - not arp 
>  
> real    0m1.054s 
> user    0m0.944s 
> sys     0m0.108s
> 
> Why does the filtered option take exponentially longer?
> 
> Thanks!
> Jason

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140515/708f6472/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140515/708f6472/attachment.sig>

More information about the argus mailing list