question on argus listenning on 2 interfaces
Lei Wei
lwei at cs.unc.edu
Wed Jan 9 20:42:32 EST 2008
Hi Peter,
Thanks for the help. I did try to use DAG card but I cound't get Argus
working with DAG. I installed the dag-enabled libpcap0.9.8 but Argus
just can't get any data from it. Do you have any experience with it? If
so, could you give me some instructions on how to configure argus to
recoginize dag card?
many thanks~
Lei
Quoting Peter Van Epp <vanepp at sfu.ca>:
> On Wed, Jan 09, 2008 at 06:19:28PM -0500, Lei Wei wrote:
>> Hello,
>>
>> I'm now monitoring the border traffic which has an inbound and an
>> outbound link. I'm not sure how argus would treat those two interfaces
>> if specified. I hope that it'll merge the two links and reconstruct
>> transactions but I'm not sure of what'd happen. And I also wonder if
>> the unidirection and bidirection options play a role in here.
>> So any comments?
>>
>> THanks.
>>
>> Lei
>
> Two interfaces from a tap works fine (if not optimally) as in
>
> argus -Jd -P 560 -i eth0 -i eth1
>
> this will indeed merge the streams most of the time and I've run like this
> for many years. There are issues (which Carter tweaked a while back in the
> 3.0 rcs) when what I think is likely interrupt queuing delivers packets out
> of order though. So the optimal thing is to run two argi one for each
> interface
> and then let racluster merge the two individual streams later (or run a DAG
> cards which will time stamp all packets on receive by the hardware which
> cures the problem).
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
More information about the argus
mailing list