question on argus listenning on 2 interfaces

Thu Jan 17 12:23:47 EST 2008

On Tue, Jan 15, 2008 at 06:56:42PM +0000, Kevin & Leah Branch wrote:
> Lei,
> 
> I've never heard about argus supporting aggregating multiple interfaces.  If the inbound link and outbound link you refer to are actually just the upstream and downstream components of the same sniff-point on your network, as is common with many ethernet taps, then you might consider using linux channel bonding.  See http://linux-ip.net/html/ether-bonding.html for more details on how to do that with Linux.  If eth2 is the upstream side of your sniff point and eth3 the downstream side of the same sniff point, then you can create a bonding interface to which eth2 and eth3 are enslaved, thus combining their traffic into a single bond0 interface.  Then you just point tcpdump or argus or whatever at bond0.  It works like a charm, and require no installation of any extra software.  One warning, though.  If you use PF_RING (from ntop.org) to boost your packet capture performance, it wasn't compatible with channel bonding last I tried to use these things together.  MMaped libpcap seems to work fine with it though, at least in my environments.
> 
> Kevin
> 

	I don't expect channel bonding will correct the problem that has been
seen with aggregated links. I believe the problem is happening at the hardware
/ interrupt processing level which is before channel bonding (and DAG cards
are the only real cure). What I think is happening is that multiple packets
are arriving fast enough to get extracted from the hardware buffer on the 
ethernet card on a single interrupt (and thus all have that identical time
stamp) for multiple packets. I believe what is happening is that sometimes
(quite rarely actually) the syn packet comes in to the hardware buffer on the 
"receive" nic and gets stored in the on board buffer and triggers an interrupt.
A short time later the syn-ack packet arrives at the "send" nic card and gets
added to the onboard buffer just in time to get included in the transfer to 
the host because the card has interrupted for a previous packet. The result
is that the syn-ack packet will appear to argus first because it isn't until
the send NICs interrupt completes that the other card will get to transfer 
its buffer to the host. The only thing that will actually fix this condition
is to be running DAG cards which timestamp received packets from an on board
hardware clock when the packet arrives (not when interrupt processing takes
place in the host). Carter has fixed the problem (at least I haven't seen an
example in quite a while) by assuming that there can be skew between the 
receive and send NICs (but that packets in either stream should be in time 
order). Since this is happening below the level of the channel bonding code
I don't believe channel bonding will actually help. 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada