[ARGUS] argus data rates experience?
Russell Fulton
r.fulton at auckland.ac.nz
Fri Apr 2 20:54:08 EST 2004
On Sat, 2004-04-03 at 13:30, Richard Johnson wrote:
> I've just reread Peter Van Epp's :login; article from 2001, as it's the
> only place I can find any numbers regarding Argus performance on sample
> networks. (IOW, article good, my search abilities bad. :-)
>
> I'm now charged with logging traffic across a WAN interface that's peaking
> at 250 Mbps and 30,000 packets/sec.
>
> I'm going to try a 2GHz dual CPU system running FreeBSD using a SysKonnect
> SK9843 GigE interface and a fibrechannel array TBD connected via a Qlogic
> ISP2300 card, and see if it can keep up. Does that raise any red flags?
This should handle the monitoring load fine. The big bottleneck is
usually getting the data to disk. The usual wisdom is that it is better
to do this on another box, i.e. run an argus client on a another box
that connects to the sensor over the network. Given that you have two
cpus and that argus is threaded, with output processes in separate
thread I would think you should be OK.
>
> In addition, I'm very uncertain as to the storage requirements for log
> files (IOW, how big a chunk of that array will I need?). Can anyone give
> an idea of how fast the log files might grow per packet under a typical
> university mix of interactive logins and file transfers?
I'll let others whos loads are more comparable with yours answer that
one.
--
Russell Fulton /~\ The ASCII
Network Security Officer \ / Ribbon Campaign
The University of Auckland X Against HTML
New Zealand / \ Email!
More information about the argus
mailing list