Argus on Bivio 7500
Peter Van Epp
vanepp at sfu.ca
Mon Aug 24 19:58:20 EDT 2009
On Sun, Aug 23, 2009 at 01:15:35AM -0400, Jason Carr wrote:
> Although I don't have a direct experience with this I was told that
> having two processes running in one "inspection group" such as argus and
> snort would be perfectly fine. In fact a recent conversation with one of
> their tech support guys suggested doing this. Very soon I hope to be
> able to test this and will provide information on success or fail.
>
> I'd be happy to exchange information about our configuration but I would
> think we should do this off list since it's not really argus related :)
>
> Why isn't there a Bivio users group yet...?
>
> - Jason
>
Does an "inspection group" span CPUs (remembering I know little about
Bivios :-))? If this means that they map the kernel copy of the packet
(hopefully read only) to two different physical processor/main memory banks
(come to think of it seems unlikely from a hardware standpoint unless they have
a multiport SRAM in kernel space) you might be OK. The desirable outcome is
argus running on one CPU/memory bank and snort running in another. Both programs
at line rate need a lot of CPU and memory and it sounds like they are fighting
for the same resource (CPU, memory or bus bandwidth) when running together. My
first guess would be a single copy of the packet in kernel memory being the
bottleneck.
While I'm here, Jason did you manage to fix your problem with the
default device on the Bivio? Is Carter correct and the ioctl quietly disabling
the pcap interface when it doesn't like the response?
Peter Van Epp
More information about the argus
mailing list