Reconstituting flows

Mark Poepping poepping at cmu.edu
Wed Mar 27 09:12:36 EST 2002


500Mb in each direction is a lot (we were doing about half that).  Yes
something like an IDS load-balancer is what I had in mind.  Though I've
never actually played with one, it should allow you to aggregate flows
from the packet level, which is where you can retain the most
information about the transaction, though depending on why you're
looking, those semantics may not be important to you (yet), and we
really haven't talked about that stuff much at all (response time,
jitter..)..

I would certainly be interested in what you discover, and I'm still
trying to find a way to spend time (and somebody else's money) to
investigate some of this more deeply (<insert usual complaint about time
and workload here>).
Mark.

> -----Original Message-----
> From: newton [mailto:newton at unb.ca]
> Sent: Wednesday, March 27, 2002 9:13 AM
> To: Mark Poepping; argus-info at lists.andrew.cmu.edu
> Subject: RE: Reconstituting flows
> 
> Pretty big...  500 Mbit bidirectional.  There is lots of options,
> including
> IDS load balancers.  Is that what you mean, for slicing?
> 
> Chris
> 
> >===== Original Message From "Mark Poepping" <poepping at cmu.edu> =====
> >How fat is it?
> >I personally like the idea of slicing rather than splitting, but
whether
> >you can do it depends on the speed and what you're really using to
'tap'
> >the stream..
> >Mark.
> >
> >
> >> -----Original Message-----
> >> From: owner-argus-info at lists.andrew.cmu.edu [mailto:owner-argus-
> >> info at lists.andrew.cmu.edu] On Behalf Of newton
> >> Sent: Wednesday, March 27, 2002 8:48 AM
> >> To: argus-info at lists.andrew.cmu.edu
> >> Subject: Reconstituting flows
> >>
> >> Hi all.  If I have a big fat pipe I want to monitor, and I am
> >wondering if
> >> it
> >> might be better if I buy two boxes, and a tap to do the work.  With
> >the
> >> tap, I
> >> would split off both sides of the full duplex connection and send
each
> >> side of
> >> that conenction to a single box running argus.  My question is,
when
> >Argus
> >> builds flows out of these on both boxes, how can I 'reconnect', or
> >> reconstitute these flows back into 1 flow?
> >>
> >>  Anyone got any ideas?
> >>
> >> Thanks
> >>
> >> Chris
> >>
> 



More information about the argus mailing list