[ARGUS] the packet and byte count are unreasonably high

Ming Fu via Argus-info argus-info at lists.andrew.cmu.edu
Mon Nov 11 13:08:37 EST 2024 

Hi Carter,

It happens on machine with 10G and machine with multiple 1G interfaces, however, the total throughput is no more than 3.5G at peak. 

Regards,
Ming
-----Original Message-----
From: Carter Bullard <carter at qosient.com> 
Sent: Monday, November 11, 2024 11:36 AM
To: Ming Fu <Ming.Fu at esentire.com>
Cc: Argus <argus-info at lists.andrew.cmu.edu>
Subject: Re: [ARGUS] the packet and byte count are unreasonably high

And one last question … what is the max bandwidth of the links you're monitoring ?  (10 Gbps ??)
Carter


> On Nov 11, 2024, at 11:26 AM, Carter Bullard <carter at qosient.com> wrote:
> 
> Hey Ming,
> Important question … what is the status of the LBL_ALIGN variable in your ./include/argus_config.h file ???
> On my systems it is defined …
> 
>   % grep LBL_ALIGN ./include/argus_config.h
>   include/argus_config.h:#define LBL_ALIGN /**/
> 
> Carter
> 
>> On Nov 11, 2024, at 10:42 AM, Carter Bullard <carter at qosient.com> wrote:
>> 
>> Hey Ming,
>> Based on your earlier email … this should work to generate an argus file with about 24 records in it that would include errant flows as a well as reasonable flows for the same flow ??
>> 
>>  % ra -w /tmp/argus.big.counter.flow.out -r argus.vsniff1.2024-10-11-22* - src host 10.61.6.12 and port 62275 
>> 
>> If you can grab even tighter times, if you can get the specific flow between 2024-10-11.22:15:06 - 2024-10-11.22:21:15 
>> That should catch normal -> errant -> normal for a single flow …
>> 
>> All ra* programs can write its output to an argus data file, so by using the filter, you can grab the flows you want and create a manageable file ...
>> 
>> Carter
>> 
>>> On Nov 11, 2024, at 10:23 AM, Ming Fu <Ming.Fu at esentire.com> wrote:
>>> 
>>> Hi Carter,
>>> 
>>> The problem does not happen often, so unless we search for it on purpose across a large set of archives, we may not see it. We notice the problem mostly because we hit it during a query. I can't reproduce the problem in testing environment.
>>> 
>>> Is there a command to extract just the affected connection from the original archive file into a smaller archive? There are barriers other than just the size to share the full archive.
>>> 
>>> Regards
>>> Ming
>>> 
>>> -----Original Message-----
>>> From: Carter Bullard <carter at qosient.com> 
>>> Sent: Monday, November 11, 2024 10:12 AM
>>> To: Ming Fu <Ming.Fu at esentire.com>
>>> Cc: Argus <argus-info at lists.andrew.cmu.edu>
>>> Subject: Re: [ARGUS] the packet and byte count are unreasonably high
>>> 
>>> Hey Ming,
>>> We were working on this issue last year about this same time …. And in June/July (?) you thought we had fixed the problem …
>>> No problem, just wanting to know if it went away and then came back ??  Or maybe we were just lucky ??
>>> 
>>> Can you share a recent binary file of a record that is tooooo big ??
>>> 
>>> Carter
>>> 
>>> 
>

More information about the argus mailing list