New To Argus

Mon Feb 25 17:52:28 EST 2008

On Mon, Feb 25, 2008 at 12:01:52PM -0700, Nick Diel wrote:
> Carter,
> 
> First of all thanks for your detailed response and updated clients.  And 
> I am glad you like twists.
> 
<snip>
> 
> So for my first question, is Argus capable of capturing at high line 
> speeds (at least 1Gbit) where doing a packet capture using libpcap and a 
> standard NIC may fail (libpcap dropping packets)?  Or since Argus is 
> flow based it doesn't care if it misses packets?  Some of the anomalies 
> we research require us to account for almost every packet in the 
> anomaly, so say dropping every 100th or even every 1000th packet could 
> hamper us.  The reason I ask I about Argus high speed captures, is if it 
> is very capable at high speeds, it would allow us to deploy more 
> collection boxes (these boxes would then primarily be used by the flow 
> based researchers).  We wouldn't have to buy an expensive capture card 
> for each collection box.

	While it can be done, I think the costs are likely a wash. I don't
use dags, but rather two Intel gig fibre cards and a SUSE Linux kernel (on PPC)
the the pf-ring mods for fast pcap capturing (there is a possibly equivelent
mod from llb that doesn't require kernel mods that may be as good and easier 
though). The cost of no dag cards is that the capture machine (with the NICs)
writes argus data to a socket and a second machine reads the argus data from
the wire and writes it to disk. Doing the disk I/O on the capture machine 
results in packet loss, I think due to bus contention. You also get less 
accurate time stamps because you can be reading multiple packets from the on 
card buffer in the same interrupt and all will get the same or almost the 
same time stamp which varies the timing slightly. The dag (with an on board 
packet buffer of several megs and a clock that timestamps on packet receive) 
doesn't have to worry about either of those and thus can probably do it on 
one machine which may offset the cost of a dag (about $8K for a 1 gig I think,
when fibre Intels were about a $1K each when last I bought some).  
	With the above setup argus managed to keep up with a loaded gig pipe
(of 9K jumbo frames though, the best performance case) without much problem.
Small packets will probably do much worse but I didn't have a pipe of that 
speed with small packets to try :-). 
	PPC is network endian which turns out to be helpful at high speed 
in that it avoids byte swapping to get to network order, but on an experiment
on a variety of machines, ram speed (DDR2 against DDR3) was more importannt. 
A Sun 4200 dual opteron box did better than my DDR2 PPC IBM P510s in a 
run using time to measure the processing of the same pcap file run through
argus. 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada