question on argus listenning on 2 interfaces
Peter Van Epp
vanepp at sfu.ca
Wed Jan 9 18:47:58 EST 2008
On Wed, Jan 09, 2008 at 06:19:28PM -0500, Lei Wei wrote:
> Hello,
>
> I'm now monitoring the border traffic which has an inbound and an
> outbound link. I'm not sure how argus would treat those two interfaces
> if specified. I hope that it'll merge the two links and reconstruct
> transactions but I'm not sure of what'd happen. And I also wonder if
> the unidirection and bidirection options play a role in here.
> So any comments?
>
> THanks.
>
> Lei
Two interfaces from a tap works fine (if not optimally) as in
argus -Jd -P 560 -i eth0 -i eth1
this will indeed merge the streams most of the time and I've run like this
for many years. There are issues (which Carter tweaked a while back in the
3.0 rcs) when what I think is likely interrupt queuing delivers packets out
of order though. So the optimal thing is to run two argi one for each interface
and then let racluster merge the two individual streams later (or run a DAG
cards which will time stamp all packets on receive by the hardware which
cures the problem).
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list