racluster() memory control Re: New To Argus

Peter Van Epp vanepp at sfu.ca
Mon Mar 3 15:30:44 EST 2008 

> >  
> Peter,
> 
> Very interesting.  Currently we are only monitoring partial traffic and 
> a few organizations using the TX have other providers so there is 
> asymmetric routing.  Then for some subnets we only have unidirectional 
> traffic, so that might affect the results.  Though I think I will still 
> play around with this tool.  If I am still able to find some interesting 
> attack traffic, the TX might appreciate that information.  Giving the TX 
> some benefits for us being there would be a good thing. :)
> 
> Nick

	Thats another good use of argus :-). I sometimes find asymetric routes
due to policy (i.e. CA*net4 accepts the route because its in the RR but a wrong
BGP filter somewhere in the path sends in back commodity). This shows up in
the commodity traffic report like this:

> >
> >     but comes back in commodity:
> >     
> >199.60.1.4           8,349,227,827 Tot     2,144,505,502 Out
> >6,204,722,325 In
> >
> >  128.252.252.48             6,115,420,960                  0
> >  6,115,420,960
> >  128.252.252.48:22          6,115,420,960                  0
> >  6,115,420,960
> > 

	This was someone in our CS department heading somewhere on I2 and 
being bitten by a BGP filter, the out is 0 because it is on our C4 link
which is clear channel gig but the return is coming in commodity (130 megs,
saturated and packet shaped) which is both bandwidth restricted and costs 
money. Reporting this up the line usually gets the filter corrected and 
everybody wins (except the gigapops that have to correct the filter of
course :-)) as the user gets better throughput and we (who pay the bandwidth 
bill) get to waste the bandwidth saved in more P2P :-). In the case of 
multiple links, something like argus ids would be needed to figure out the 
source link (I have different argi on each link so its easy for me). The 
traffic numbers (currently the top 30 bandwidth users in a day) are used to 
decide when this is worth doing because it gets fairly labour intensive for
the various gigapops in the path to figure out who has the bad BGP filter
and you only want to do it when there is a reasonable amount of bandwidth 
involved.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the argus mailing list