Question on Argus log file

David Edelman via Argus-info argus-info at lists.andrew.cmu.edu
Thu Jun 23 20:29:35 EDT 2016


It's not clear from your description if both of the devices are receiving
the same set of inbound packet traffic. If so, then I will suggest what I
always suggest as a first step - Use -X as the first option in the command
line for all of the argii and the radium instances. This ensures that you
are not including some long forgotten configuration file in the mix.

 

You should try running  racount -X -t n14:10:00-14:30:00  -r file1 -r file 2
-r file3 -r fileN -M proto -M addr  on each of the  devices for the full set
of files making up that time slice. It's a good idea to make sure that the
devices are synchronized to the same clock source, if not fix that as step
0. 

 

If the output of the racount() test indicates that there is still a
difference, then please post the outputs to this list and we may be able to
help a bit more.

 

 

--Dave

 

 

From: Argus-info
[mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
Behalf Of Raj Srinivasan via Argus-info
Sent: Thursday, June 23, 2016 4:51 PM
To: argus-info at lists.andrew.cmu.edu
Subject: [ARGUS] Question on Argus log file

 

Hello,

 

We are observing a situation which we don't understand. First, the details.

 

We run Argus on two different platforms, each with multiple instances of
Argus. Incoming network traffic into the box is load-shared so that each
instance receives a portion of the incoming traffic. The way the traffic is
load-shared ensures that for a given flow (tcp or udp), both directions of
the flow will be sent to the same argus instance.

 

Now, the two platforms use slightly different methods of load-sharing
(IP/tcp/udp headers are hashed differently). In the low end platform,
traffic is load-shared to 12 argii with each running in its own CPU, and in
the high end platform, traffic is load-shared to 4 argii (with each instance
bound to a specific core). In both cases, we use radium (running on the
system) to collect data (over tcp) from the different argii and create logs.
In both cases, the log files are rotated every 5 minutes.

 

The log files we see in the high end platform (with 4 argii) are
consistently smaller. We have checked out the platform, and are of the
belief that no packets or flows are being dropped.

 

Is it possible that because of the way flows are distributed, the platform
with fewer argii is creating smaller log files? The discrepancy varies from
around 10% to as much as 30% or higher, and seems to be independent of the
volume of incoming traffic (peak and low traffic times both show this
difference in log file sizes). We are using the same configuration for Argus
and Radium in both systems.

 

Is this reasonable/expected? Would very much appreciate a response!

 

Thanks,

Raj

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160623/f6a42547/attachment.html>


More information about the argus mailing list