argus-2.0.0m

Peter Van Epp vanepp at sfu.ca
Wed Oct 4 11:43:55 EDT 2000 

	Yep that looks to have done it for the HUPs, its worked fine every time
so far. There does look to be a performance or measurement issue at 100 though:

-rw-r--r--   1 root     other      38004 Oct  4 08:15 argus.2.1
-rw-r--r--   1 root     other      36352 Oct  4 08:18 argus.log.2.100
-rw-r--r--   1 root     other      38004 Oct  4 08:13 argus.log.1.1
-rw-r--r--   1 root     other      37872 Oct  4 08:12 argus.log.1.100

	The log files are at 1 meg per second (.1) and at ~95 megabits (.100).
The 100 ones seem to get too few bytes although the first didn't notice it.
Its at this point unclear that this isn't an artifact of tcpreplay and/or 
errors on the wire at 100. I have the hardware for my 100 capable sniffer but
the software won't be here for a week or so so I can't so far get an 
independent picture of what is really making the wire.

skaha# bin/ra -r argus.log.1.1 |tail
...
04 Oct 00 08:13:10.017338   man  pkts   5002  bytes      2672181  drops     0     STP     

bin/ra -r argus.log.2.1 -n | tail
...
04 Oct 00 08:14:38.246505   man  pkts   5002  bytes      2672181  drops     0     STP               

skaha# bin/ra -r argus.log.1.100 -n |tail
...
04 Oct 00 08:12:00.803003   man  pkts   5002  bytes      2672181  drops     0     STP       

bin/ra -r argus.log.2.100 -n | tail
...
04 Oct 00 08:18:49.571692   man  pkts   4771  bytes      2582060  drops     0     STP    

	But all in all it looks good. I'm about to go poke at why my FreeBSD
boxes aren't performing. I had that facinating thought that I wonder if it is
the IDE DMA not being bus mastering. At this point I still have access to my
original Supermicro server class P2 450 machine with a GX motherboard and 
SCSI disks. I'm intending on trying it at 100 and see if it does better than
the BX / IDE disk Intel boards and then go from there (i.e. if it does do 
better move the SCSI controllers to an Intel and see if it is disk or 
motherboard).
	Then it will be butcher tcpreplay to allow for full duplex operation
(read two files, merge the time stamps in the correct order and output them
to 2 interfaces to simulate a full duplex link). If I need to move to two 
machines for disk performance this is going to get interesting staying in 
sync, since outputing an ack before the generating packet makes the wire in
the other direction is likely to cause excitment :-).

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list