[ARGUS] the packet and byte count are unreasonably high

Carter Bullard carter at qosient.com
Wed Nov 13 11:09:14 EST 2024


Hey Ming,
With regards to our bug … is the argus that is generating the issue an argus-3.0 sensor ??

Carter


> On Nov 11, 2024, at 3:29 PM, Ming Fu <Ming.Fu at esentire.com> wrote:
> 
> Hi Carter,
>  
> We use the plain default configure command to run the auto configure.
>  
> Regards,
> Ming
>  
> From: Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>>
> Sent: Monday, November 11, 2024 1:12 PM
> To: Ming Fu <Ming.Fu at esentire.com <mailto:Ming.Fu at esentire.com>>
> Cc: Argus <argus-info at lists.andrew.cmu.edu <mailto:argus-info at lists.andrew.cmu.edu>>
> Subject: Re: [ARGUS] the packet and byte count are unreasonably high
>  
> @ 3.5Gbps we'll tickle the 64-bit counters in argus with a 30s flow duration ... should not be a problem but .... very interesting regarding LBL_ALIGN not being defined ... maybe a real hint ...
>  
> Carter
> <image001.png> <http://qosient.com/>	
>  
> Carter Bullard  <mailto:carter at qosient.com>• CEO
> 250 E 53rd Street Suite 501
> New York, New York 10022
> Phone +1.212.588.9133 • Mobile +1.917.497.9494
> 
> 
> On Nov 11, 2024, at 1:08 PM, Ming Fu <Ming.Fu at esentire.com <mailto:Ming.Fu at esentire.com>> wrote:
> 
> Hi Carter,
> 
> It happens on machine with 10G and machine with multiple 1G interfaces, however, the total throughput is no more than 3.5G at peak.
> 
> Regards,
> Ming
> -----Original Message-----
> From: Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>>
> Sent: Monday, November 11, 2024 11:36 AM
> To: Ming Fu <Ming.Fu at esentire.com <mailto:Ming.Fu at esentire.com>>
> Cc: Argus <argus-info at lists.andrew.cmu.edu <mailto:argus-info at lists.andrew.cmu.edu>>
> Subject: Re: [ARGUS] the packet and byte count are unreasonably high
> 
> And one last question … what is the max bandwidth of the links you're monitoring ?  (10 Gbps ??)
> Carter
> 
> 
> 
> On Nov 11, 2024, at 11:26 AM, Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>> wrote:
>  
> Hey Ming,
> Important question … what is the status of the LBL_ALIGN variable in your ./include/argus_config.h file ???
> On my systems it is defined …
>  
>  % grep LBL_ALIGN ./include/argus_config.h
>  include/argus_config.h:#define LBL_ALIGN /**/
>  
> Carter
>  
> On Nov 11, 2024, at 10:42 AM, Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>> wrote:
>  
> Hey Ming,
> Based on your earlier email … this should work to generate an argus file with about 24 records in it that would include errant flows as a well as reasonable flows for the same flow ??
>  
> % ra -w /tmp/argus.big.counter.flow.out -r argus.vsniff1.2024-10-11-22* - src host 10.61.6.12 and port 62275
>  
> If you can grab even tighter times, if you can get the specific flow between 2024-10-11.22:15:06 - 2024-10-11.22:21:15
> That should catch normal -> errant -> normal for a single flow …
>  
> All ra* programs can write its output to an argus data file, so by using the filter, you can grab the flows you want and create a manageable file ...
>  
> Carter
>  
> On Nov 11, 2024, at 10:23 AM, Ming Fu <Ming.Fu at esentire.com <mailto:Ming.Fu at esentire.com>> wrote:
>  
> Hi Carter,
>  
> The problem does not happen often, so unless we search for it on purpose across a large set of archives, we may not see it. We notice the problem mostly because we hit it during a query. I can't reproduce the problem in testing environment.
>  
> Is there a command to extract just the affected connection from the original archive file into a smaller archive? There are barriers other than just the size to share the full archive.
>  
> Regards
> Ming
>  
> -----Original Message-----
> From: Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>>
> Sent: Monday, November 11, 2024 10:12 AM
> To: Ming Fu <Ming.Fu at esentire.com <mailto:Ming.Fu at esentire.com>>
> Cc: Argus <argus-info at lists.andrew.cmu.edu <mailto:argus-info at lists.andrew.cmu.edu>>
> Subject: Re: [ARGUS] the packet and byte count are unreasonably high
>  
> Hey Ming,
> We were working on this issue last year about this same time …. And in June/July (?) you thought we had fixed the problem …
> No problem, just wanting to know if it went away and then came back ??  Or maybe we were just lucky ??
>  
> Can you share a recent binary file of a record that is tooooo big ??
>  
> Carter
>  
>  
>  
>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20241113/25909c38/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1385 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20241113/25909c38/attachment-0001.bin>


More information about the argus mailing list