[ARGUS] About Argus

Carter Bullard carter at qosient.com
Thu Mar 31 09:21:58 EDT 2022 

Hey Koohong,
There are a lot of internal timers !!  But there is only one that will potentially decrease the number of flow records coming from argus.   That is the ARGUS_FLOW_STATUS_INTERVAL.
This variable specifies how often argus will report on long lived flows.  The default is 5 seconds, but you can increase that to any number.  Some like 60.

What happens when you increase this variable?  You will report on ongoing flows every 60 seconds, rather than 5s.  If you have a lot of long lived flows, then the flow count will go down.

What are the negatives ???  Well … #1 is you will use more memory, which can be a big problem.  You will hold short lived flow caches in memory long after they are finished.   #2 is that if you are processing real-time flows, your analytics won’t see network activity until 60 seconds after it occurs.  For some, that is a no starter.  I like 5 seconds, so that live analytics can see traffic sooner, and then I post-process the files with the program racluster.1.

% racluster -r argus.file -w racluster.argus.out
% racount -r argus.file
% racount -r racluster.argus.out

If these counts from racount.1 are similar, then increasing the ARGUS_FLOW_STATUS_INTERVAL will not help you much, because the network traffic you are watching is composed of a lot of short flows.  If that is the case, increasing the interval will just waste resources and make argus slower.  BUT, if the numbers are really different, then increasing the ARGUS_FLOW_STATUS_INTERVAL will decrease argus’s output.

There are a few  ra* programs that can help you manage the flow counts, racluster.1, rabins.1.  It maybe that they can help you.

Carter


> On Mar 31, 2022, at 2:39 AM, Koohong Kang <khkang at seowon.ac.kr> wrote:
> 
> 
> 
> 
> Hello Carter,
> 
> 
> Nowadays I am using your valuable tool Argus for my project.
> 
> By the way, I would like to ask a question about Argus.
> 
> As you know well, there are a number of state timers in the argus.conf files
> 
> that expires the flows under the idle state.
> 
> I am wondering what if we increase these timer values.
> 
> I think that if  ARGUS_IP_TIMEOUT is increased from 30 to 60,
> 
> then the number of generated flows should be decreased
> 
> because the flows under idle state stay much longer at the caches.
> 
> However, the results from Argus are the exact opposite of what I expected,
> 
> that is the number of flows are increased.
> 
> What am I doing wrong?
> 
> Could give me any comments, please?
> 
> 
> 
> 
> Thanks in advance,
> 
> 
> Koohong
> 
> 
> 
> 
> 
> 
> 
> ----------------------------------------------
> Prof. Koohong Kang
> Dept. of Information and Communications Eng.
> Seowon University, Cheongju, 361-742, South Korea
> Tel:+82-43-299-8773, Fax:+82-43-299-8710
> Homepage: http://poisson.seowon.ac.kr <http://poisson.seowon.ac.kr/> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20220331/6ca1dd93/attachment-0001.htm>

More information about the argus mailing list