I have finally run out of a single CPU.
Carter Bullard
carter at qosient.com
Tue May 22 11:31:32 EDT 2018
Hey Russell,
Argus has been multi-threaded for almost a decade now, lots and lots of 10 and 40G argi out there and we have 100G argus available as a product today. We still suggest that for high performance you use packet capture cards with their integrated flow steering support, but if that is not an option, and you’re using open source Argus, af_packet with flow load balancing, should work … but we don’t have native AF_PACKET socket support in the code today ...
To stay in line with using libpcap interfaces, so that current argus doesn’t change at all, you can look at https://github.com/nizq/libpcap-fanout <https://github.com/nizq/libpcap-fanout>. This is based on PFQ, which uses af_packet I’m thinking … it should generate virtual devices that you should be able to open, specified in the argus.conf file (use ind(pendant) interfaces) and you get an argus thread per interface. Will need to link to this version of libpcap in the ./configure run …
Holler if you go down this path and have any issues … also, if you get amazing results, it would be good to hear the experiences. !!!!
Hope all is most excellent,
Carter
> On May 21, 2018, at 10:11 PM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>
> Hi
> All the argus processes on my sensors are now sitting on 100% cpu and presumably dropping data. One obvious approach is to use filters and multiple argus processes, unless argus has the ability to multi-thread processing.
>
> Google turns up this tantalising snippet from http://qosient.com/argus/news.shtml:
>
>> Mar 11 13:41:48 EST 2011 – Argus 3.0.4 Released
>> Argus 3.0.4 and its clients are now available. Changes for 3.0.4 include enhanced multi-threaded support,
>
> But I can find nothing else on the subject.
>
> So what are people doing with argus on 10G links?
>
> I am running suricata (with af-packet) and that is going nicely and I should have enough memory and CPU to run argus as well.
>
> Russell
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20180522/0daaf290/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4045 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20180522/0daaf290/attachment.bin>
More information about the argus
mailing list