pf_ring and argus
Peter Van Epp
vanepp at sfu.ca
Fri Apr 11 12:49:16 EDT 2008
On Thu, Apr 10, 2008 at 11:52:50AM +0200, Ole Morten Grod?s wrote:
> Thanks for the helpful answers Peter and Nick.
>
> After reading the paper "Improving Passive Packet Capture:Beyond Device
> Polling" and the pf_ring user guide I was under the impression that PF_RING
> was the most used and most stable option. But after your comments, I'm not
> so sure anymore.
It may be in better shape now (although it may not too :-)). As noted
we haven't done anything with it in a while in terms of updates. We too are
still running 2.0.6 without the pf-ring code (but with two boxes) in production,
pf-ring is on my 3.0 test boxes.
>
> As Peter suspects, my main concern at the moment is with a setup where
> everything is running on one box and I hoped that the use of pf_ring or
> mm-pcap could help.
I suspect it won't because the problem seems to be at the hardware
level. We think that the disk is bursting on the PCI bus for too long and
the NIC card has a small (64K on Intel) on board buffer and that fills
and overwrites incoming packets on a link above 70 megs or so (probably
somewhat on slower links). As noted a DAG fix this but are expensive (about
$8000 for a Gig one as I recall which isn't that big a premium over 2 Intels
at $1K each when last I bought although the DAG was in the $16K range at that
time).
>
> When running my test I also hope to get a better understanding of the
> performance bottlenecks in my system and the performance characteristics off
> Argus. I'm therefore a bit curios Peter, how you measure the PCI contention
> problems you refer to. I was planning on using systat for performance
> monitoring. Are there any better alternatives?
I have netoptics regen taps (essentially a gig 4 port repeater) so
I can put my line rate sniffer beside an argus test box looking at the same
traffic and compare what argus reports to what the sniffer reports (most
easily by dumping the sniffer trace to pcap and running it through argus and
comparing ra output).
PCI bus issues require a logic analyser attached to the bus (I have
one of those too but haven't actually done this). The was a paper 3 or 4
years ago that had an analyser trace of a fully loaded gig card that indicated
not much bus time left (this being PCI, PCIX or PCI Express are a different
story).
I think your best bet is the second machine. I have a big dual core
Athelon (4 gigs of ram 1.4 gig CPUs) as the sensor and an Intel P3 600 meg
with a 200 gig disk as the first stage archive box so the second machine can
be small. This doesn't lose packets on our current 140 megabit or so input
link (as noted the same setup loses packets at a much lower rate).
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list