Reconstituting flows

Chas DiFatta chas at difatta.org
Wed Mar 27 19:15:39 EST 2002


Chris,

I heard that Cisco is plans to make some major announcements
on the IDS front this June with regards to significantly
increasing the performance from the present 120Mb/sec per blade.
I'd contact your rep and see if you can sign an NDA.

	...cd

>-----Original Message-----
>From: owner-argus-info at lists.andrew.cmu.edu
>[mailto:owner-argus-info at lists.andrew.cmu.edu]On Behalf Of newton
>Sent: Wednesday, March 27, 2002 6:49 AM
>To: Mark Poepping
>Cc: argus-info at lists.andrew.cmu.edu
>Subject: RE: Reconstituting flows
>
>
>Have you any IDS load balancers in mind?  TopLayer sells one, but 
>I don't know 
>of any others.
>
>Chris
>
>>===== Original Message From "Mark Poepping" <poepping at cmu.edu> =====
>>500Mb in each direction is a lot (we were doing about half that).  Yes
>>something like an IDS load-balancer is what I had in mind.  Though I've
>>never actually played with one, it should allow you to aggregate flows
>>from the packet level, which is where you can retain the most
>>information about the transaction, though depending on why you're
>>looking, those semantics may not be important to you (yet), and we
>>really haven't talked about that stuff much at all (response time,
>>jitter..)..
>>
>>I would certainly be interested in what you discover, and I'm still
>>trying to find a way to spend time (and somebody else's money) to
>>investigate some of this more deeply (<insert usual complaint about time
>>and workload here>).
>>Mark.
>>
>>> -----Original Message-----
>>> From: newton [mailto:newton at unb.ca]
>>> Sent: Wednesday, March 27, 2002 9:13 AM
>>> To: Mark Poepping; argus-info at lists.andrew.cmu.edu
>>> Subject: RE: Reconstituting flows
>>>
>>> Pretty big...  500 Mbit bidirectional.  There is lots of options,
>>> including
>>> IDS load balancers.  Is that what you mean, for slicing?
>>>
>>> Chris
>>>
>>> >===== Original Message From "Mark Poepping" <poepping at cmu.edu> =====
>>> >How fat is it?
>>> >I personally like the idea of slicing rather than splitting, but
>>whether
>>> >you can do it depends on the speed and what you're really using to
>>'tap'
>>> >the stream..
>>> >Mark.
>>> >
>>> >
>>> >> -----Original Message-----
>>> >> From: owner-argus-info at lists.andrew.cmu.edu [mailto:owner-argus-
>>> >> info at lists.andrew.cmu.edu] On Behalf Of newton
>>> >> Sent: Wednesday, March 27, 2002 8:48 AM
>>> >> To: argus-info at lists.andrew.cmu.edu
>>> >> Subject: Reconstituting flows
>>> >>
>>> >> Hi all.  If I have a big fat pipe I want to monitor, and I am
>>> >wondering if
>>> >> it
>>> >> might be better if I buy two boxes, and a tap to do the work.  With
>>> >the
>>> >> tap, I
>>> >> would split off both sides of the full duplex connection and send
>>each
>>> >> side of
>>> >> that conenction to a single box running argus.  My question is,
>>when
>>> >Argus
>>> >> builds flows out of these on both boxes, how can I 'reconnect', or
>>> >> reconstitute these flows back into 1 flow?
>>> >>
>>> >>  Anyone got any ideas?
>>> >>
>>> >> Thanks
>>> >>
>>> >> Chris
>>> >>
>>>
>
>
>



More information about the argus mailing list