Argus on Bivio 7500

Jason Carr jcarr at andrew.cmu.edu
Wed Aug 26 15:46:27 EDT 2009 

Peter,

An inspection group is a group of processors that receive data from a  
traffic set.  One of things Bivio does is have multiple physical  
processors and memory.  I'm not 100% sure but I believe that they are  
all separate hardware.  They have trays of CPUs/memory that can be put  
into the different slots.

I haven't had any time to verify any of the default device problems.   
I'll check into it hopefully next week.

- Jason

On Aug 24, 2009, at 7:58 PM, Peter Van Epp wrote:

> On Sun, Aug 23, 2009 at 01:15:35AM -0400, Jason Carr wrote:
>> Although I don't have a direct experience with this I was told that
>> having two processes running in one "inspection group" such as  
>> argus and
>> snort would be perfectly fine.  In fact a recent conversation with  
>> one of
>> their tech support guys suggested doing this.  Very soon I hope to be
>> able to test this and will provide information on success or fail.
>>
>> I'd be happy to exchange information about our configuration but I  
>> would
>> think we should do this off list since it's not really argus  
>> related :)
>>
>> Why isn't there a Bivio users group yet...?
>>
>> - Jason
>>
> 	
> 	Does an "inspection group" span CPUs (remembering I know little about
> Bivios :-))? If this means that they map the kernel copy of the packet
> (hopefully read only) to two different physical processor/main  
> memory banks
> (come to think of it seems unlikely from a hardware standpoint  
> unless they have
> a multiport SRAM in kernel space) you might be OK. The desirable  
> outcome is
> argus running on one CPU/memory bank and snort running in another.  
> Both programs
> at line rate need a lot of CPU and memory and it sounds like they  
> are fighting
> for the same resource (CPU, memory or bus bandwidth) when running  
> together. My
> first guess would be a single copy of the packet in kernel memory  
> being the
> bottleneck.
> 	While I'm here, Jason did you manage to fix your problem with the
> default device on the Bivio? Is Carter correct and the ioctl quietly  
> disabling
> the pcap interface when it doesn't like the response?
>
> Peter Van Epp
>

More information about the argus mailing list