Rabins and netflow 5 failure

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Fri Jul 8 08:59:45 EDT 2016 

Richard,
rabins.1 didn’t fail, it simply exited.  Your extract doesn’t show any errors, just the normal closing sequences of deallocating all the memory.

To address your problem, you need the flow data that rabins is processing. If you can generate a data file that replicates these problems, then we can work on that situation.  I have suggested that you collect a bunch of netflow records using ra.1 writing them to a file, so that we can catch the data that maybe generating your problem.  If there are errors parsing the records, the problem will be in the argus data file.

It looks like you are using radium to collect the netflow data ???  

Carter

> On Jul 7, 2016, at 9:19 PM, Richard Rothwell via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
> 
> Hi Carter,
>  
> I attempted to use a netflow 5 stream instead of netflow 9 as input into rabins.
> This is causing problems.
>  
> As background:
> I rewrote InSight’s rabins output data parser to batch the rabins output by line count, rather than by management STOP records.
> This was intended to work around the problem with infrequent Argus STOP records when rabins processes Netflow 5.
> This seems to have successful.
> The new parser works with both Netflow 5 and Netflow9 streams.
>  
> When using Neflow 5 there are 2 problems:
> 1.       The timestamps of the rabins Argus records seem to be wrong. They are piled up in a narrow range of time.
> 2.       Rabins dies after about 20 minutes of processing.
>  
> When using Netflow 9 everything is OK.
> It runs indefinitely and the timestamps are fine.
>  
> I recompiled rabins with debugging on and executed it as follows:
> /usr/local/bin/rabins -D 10 -S 10.169.13.231:562 -M time 60s -B 60s -f /db/farm/elephant/racluster.conf -F /db/farm/elephant/rarc > rabins_netflow5.out 2> rabins_errors.txt &
>  
> This produces a 1.5Gig file. The last time anything interesting happens is at the 98% point in the file. There’s just lots of ArgusFree after that.
> I am attaching an extract at that point.
> There is no obvious issue apart from a queue running out of content.
>  
> Regards
> <rabins_stderr.txt>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160708/9297f8dd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6285 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160708/9297f8dd/attachment.bin>

More information about the argus mailing list