pid files...
Peter Van Epp
vanepp at sfu.ca
Thu Jun 30 22:10:09 EDT 2011
On Thu, Jun 30, 2011 at 08:56:10AM -0400, Phillip Deneault wrote:
> Hmmm, which is best? Probably just a philosophical question, but...
>
> I do something similar, except I use multiple rasplits to connect to a
> single radium instance and break the stream into different timeframes
> and then do my analysis on each as work requires.
>
> So run two collectors? Or one collector and multiple client tools?
>
> Carter, is there a difference?
>
> Thanks,
> Phil
>
While I'm not Carter and I haven't tested this, a quick think about
the situation says it is performance effecting rather than philosophical :-).
Two collectors on the same interface are going to cause pcap to have to copy
the packet buffer an extra time (for the second collector) unless pcap has
a copy on write (which we aren't doing) trick built in so it will give the same
buffer to each instance (I don't think this is likely but haven't looked). Two
collectors have to keep state on the connections eating memory (and memory
bandwidth which is more important and harder to increase) as well as more CPU
cycles.
On the other hand running a second client is dealing with argus data
(around 100 to 1 reduction in size in my experience) which should therefore
have the performance edge over two collectors assuming the link speed is high
enough to make performance an issue. Note the client speed increases that
Carter achieved recently by stopping zeroing buffers on creation. Admitadly
this happens a lot and thus may not be as big an issue in the two collector
case, but memory operations are expensive!
Peter Van Epp
More information about the argus
mailing list