Reconstituting flows

newton newton at unb.ca
Wed Mar 27 09:48:33 EST 2002


Have you any IDS load balancers in mind?  TopLayer sells one, but I don't know 
of any others.

Chris

>===== Original Message From "Mark Poepping" <poepping at cmu.edu> =====
>500Mb in each direction is a lot (we were doing about half that).  Yes
>something like an IDS load-balancer is what I had in mind.  Though I've
>never actually played with one, it should allow you to aggregate flows
>from the packet level, which is where you can retain the most
>information about the transaction, though depending on why you're
>looking, those semantics may not be important to you (yet), and we
>really haven't talked about that stuff much at all (response time,
>jitter..)..
>
>I would certainly be interested in what you discover, and I'm still
>trying to find a way to spend time (and somebody else's money) to
>investigate some of this more deeply (<insert usual complaint about time
>and workload here>).
>Mark.
>
>> -----Original Message-----
>> From: newton [mailto:newton at unb.ca]
>> Sent: Wednesday, March 27, 2002 9:13 AM
>> To: Mark Poepping; argus-info at lists.andrew.cmu.edu
>> Subject: RE: Reconstituting flows
>>
>> Pretty big...  500 Mbit bidirectional.  There is lots of options,
>> including
>> IDS load balancers.  Is that what you mean, for slicing?
>>
>> Chris
>>
>> >===== Original Message From "Mark Poepping" <poepping at cmu.edu> =====
>> >How fat is it?
>> >I personally like the idea of slicing rather than splitting, but
>whether
>> >you can do it depends on the speed and what you're really using to
>'tap'
>> >the stream..
>> >Mark.
>> >
>> >
>> >> -----Original Message-----
>> >> From: owner-argus-info at lists.andrew.cmu.edu [mailto:owner-argus-
>> >> info at lists.andrew.cmu.edu] On Behalf Of newton
>> >> Sent: Wednesday, March 27, 2002 8:48 AM
>> >> To: argus-info at lists.andrew.cmu.edu
>> >> Subject: Reconstituting flows
>> >>
>> >> Hi all.  If I have a big fat pipe I want to monitor, and I am
>> >wondering if
>> >> it
>> >> might be better if I buy two boxes, and a tap to do the work.  With
>> >the
>> >> tap, I
>> >> would split off both sides of the full duplex connection and send
>each
>> >> side of
>> >> that conenction to a single box running argus.  My question is,
>when
>> >Argus
>> >> builds flows out of these on both boxes, how can I 'reconnect', or
>> >> reconstitute these flows back into 1 flow?
>> >>
>> >>  Anyone got any ideas?
>> >>
>> >> Thanks
>> >>
>> >> Chris
>> >>
>>



More information about the argus mailing list