question on argus listenning on 2 interfaces
Carter Bullard
carter at qosient.com
Fri Jan 18 15:59:02 EST 2008
Hey Lei,
Did you get a chance to test the new argus-3.0.0.tar.gz on the
server
to see if it solved your DAG problem?
Carter
On Jan 9, 2008, at 8:42 PM, Lei Wei wrote:
> Hi Peter,
>
> Thanks for the help. I did try to use DAG card but I cound't get
> Argus working with DAG. I installed the dag-enabled libpcap0.9.8 but
> Argus just can't get any data from it. Do you have any experience
> with it? If so, could you give me some instructions on how to
> configure argus to recoginize dag card?
> many thanks~
>
> Lei
>
> Quoting Peter Van Epp <vanepp at sfu.ca>:
>
>> On Wed, Jan 09, 2008 at 06:19:28PM -0500, Lei Wei wrote:
>>> Hello,
>>>
>>> I'm now monitoring the border traffic which has an inbound and an
>>> outbound link. I'm not sure how argus would treat those two
>>> interfaces
>>> if specified. I hope that it'll merge the two links and reconstruct
>>> transactions but I'm not sure of what'd happen. And I also wonder if
>>> the unidirection and bidirection options play a role in here.
>>> So any comments?
>>>
>>> THanks.
>>>
>>> Lei
>>
>> Two interfaces from a tap works fine (if not optimally) as in
>>
>> argus -Jd -P 560 -i eth0 -i eth1
>>
>> this will indeed merge the streams most of the time and I've run
>> like this
>> for many years. There are issues (which Carter tweaked a while back
>> in the
>> 3.0 rcs) when what I think is likely interrupt queuing delivers
>> packets out
>> of order though. So the optimal thing is to run two argi one for
>> each interface
>> and then let racluster merge the two individual streams later (or
>> run a DAG
>> cards which will time stamp all packets on receive by the hardware
>> which
>> cures the problem).
>>
>> Peter Van Epp / Operations and Technical Support
>> Simon Fraser University, Burnaby, B.C. Canada
>>
>
>
>
More information about the argus
mailing list