Rabins and netflow 5 failure
Richard Rothwell via Argus-info
argus-info at lists.andrew.cmu.edu
Thu Jul 7 21:19:02 EDT 2016
Hi Carter,
I attempted to use a netflow 5 stream instead of netflow 9 as input into rabins.
This is causing problems.
As background:
I rewrote InSight’s rabins output data parser to batch the rabins output by line count, rather than by management STOP records.
This was intended to work around the problem with infrequent Argus STOP records when rabins processes Netflow 5.
This seems to have successful.
The new parser works with both Netflow 5 and Netflow9 streams.
When using Neflow 5 there are 2 problems:
1. The timestamps of the rabins Argus records seem to be wrong. They are piled up in a narrow range of time.
2. Rabins dies after about 20 minutes of processing.
When using Netflow 9 everything is OK.
It runs indefinitely and the timestamps are fine.
I recompiled rabins with debugging on and executed it as follows:
/usr/local/bin/rabins -D 10 -S 10.169.13.231:562 -M time 60s -B 60s -f /db/farm/elephant/racluster.conf -F /db/farm/elephant/rarc > rabins_netflow5.out 2> rabins_errors.txt &
This produces a 1.5Gig file. The last time anything interesting happens is at the 98% point in the file. There’s just lots of ArgusFree after that.
I am attaching an extract at that point.
There is no obvious issue apart from a queue running out of content.
Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160708/571f2ed2/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: rabins_stderr.txt
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160708/571f2ed2/attachment.txt>
More information about the argus
mailing list