question on argus listenning on 2 interfaces
Kevin & Leah Branch
klkbranch at hotmail.com
Tue Jan 15 13:56:42 EST 2008
Lei,
I've never heard about argus supporting aggregating multiple interfaces. If the inbound link and outbound link you refer to are actually just the upstream and downstream components of the same sniff-point on your network, as is common with many ethernet taps, then you might consider using linux channel bonding. See http://linux-ip.net/html/ether-bonding.html for more details on how to do that with Linux. If eth2 is the upstream side of your sniff point and eth3 the downstream side of the same sniff point, then you can create a bonding interface to which eth2 and eth3 are enslaved, thus combining their traffic into a single bond0 interface. Then you just point tcpdump or argus or whatever at bond0. It works like a charm, and require no installation of any extra software. One warning, though. If you use PF_RING (from ntop.org) to boost your packet capture performance, it wasn't compatible with channel bonding last I tried to use these things together. MMaped libpcap seems to work fine with it though, at least in my environments.
Kevin
> Date: Wed, 9 Jan 2008 18:19:28 -0500
> From: lwei at cs.unc.edu
> To: argus-info at lists.andrew.cmu.edu
> Subject: [ARGUS] question on argus listenning on 2 interfaces
>
> Hello,
>
> I'm now monitoring the border traffic which has an inbound and an
> outbound link. I'm not sure how argus would treat those two interfaces
> if specified. I hope that it'll merge the two links and reconstruct
> transactions but I'm not sure of what'd happen. And I also wonder if
> the unidirection and bidirection options play a role in here.
> So any comments?
>
> THanks.
>
> Lei
_________________________________________________________________
Share life as it happens with the new Windows Live.
http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080115/ac8fd562/attachment.html>
More information about the argus
mailing list