Question on Argus log file

Peter Van Epp via Argus-info argus-info at lists.andrew.cmu.edu
Thu Jun 23 19:46:50 EDT 2016 

On Thu, Jun 23, 2016 at 08:50:42PM +0000, Raj Srinivasan via Argus-info wrote:
> Hello,
> 
> We are observing a situation which we don't understand. First, the details...
> 
> We run Argus on two different platforms, each with multiple instances of Argus. Incoming network traffic into the box is load-shared so that each instance receives a portion of the incoming traffic. The way the traffic is load-shared ensures that for a given flow (tcp or udp), both directions of the flow will be sent to the same argus instance.
> 
<snip>

	I don't know if this is feasable in your environment or not, but what
I used to do in cases like this is either use tcpreplay to replay the same 
pcap file to argus (if I needed to test through the interfaces) or feed argus
the pcap file directly and then use ra on the argus output to make sure 
everything I expected to be there was in fact present. There are so many 
variables that can affect things that you need to have a stable and preferably
repeatable data stream to test with. In your case what I'd try is to arrange 
the same data stream to go to one of each of your different argus instances 
(so both should be seeing the same input data) and then use ra to see if the 
data output from each instance is the same. Note that sample interval 
differences will may make non aggregated output somewhat different but over 
the interval the aggregated flow data should be identical. That should tell 
you if the data is being correctly collected in both cases (which is whats most
important). If they are different you need to find out why, loss somewhere, 
a difference in output due to load balancing differences. If the aggregated
data is the same then you are probably looking at sample interval differences
in the two data streams as one cause for different log file sizes would be a 
different sample interval because with a shorter sample interval a long flow 
will generate multiple segments which increases the log file size without 
affecting the actual data (there are just more data points in the log file). 
That may be what is happening here. 

Peter Van Epp

More information about the argus mailing list