real time flow classification

Oguz Yarimtepe oguzyarimtepe at gmail.com
Sun Oct 7 16:05:42 EDT 2012 

Hi,

On Sun, 7 Oct 2012 10:05:48 -0700
Peter Van Epp <vanepp at sfu.ca> wrote:

> While DAGs are the best solution, Intel Server pro cards and PFring 
> work fine with sufficient horsepower even at gig. 

I read reviews and ntop statistics and some papers. I was thinking the same thing till i tried to contact from ntop site and asked for the driver. They said that TNAPI is end of life. It is suggested using DNA (http://www.ntop.org/products/pf_ring/dna/). I am not sure whether they supply DNA free for educational purposes. I asked them but haven't got any reply yet. 

>I used to work for a 
> university (and have been using argus for 15 years or more) and one of the 
> things I did was (along with our HPC guys who had a clear channel gig link
> light path on the Canadian research net) was capture a netperf run saturating
> the link (don't try this on a production network though!). While the machine
> running argus was an IBM P5 power PC with linux and pfring (which is probably
> more powerful that a P4), that worked fine with minimal packet loss. The reason
> for the PPC machine is that it is big-endian (or little-endian, I never can 
> remember which :-)) unlike the Intel which is the other. Thus the htons macros
> are no op. This appears to be about a %10 or %20 speed increase for capture 
> by not having to swap bytes in the captured packets. Thus if you can find an
> old Apple Power PC machine around (which is no obsolete) that can run linux and
> take the Intel card (i.e. it needs PCIX 64/66 slots) that may be a better
> choice. As long as PFring is happy with your card and OS I suspect Argus will
> be fine (although note the late comments on the list about pfring select 
> ignoring timeouts!). 

I don't have a PPC, it seems i can give TNAPI+PFRING a try. If i get DNA, i will try it also.
Though still trying to get TNAPI+ PFRING from ntop site. 

>I'm retired these days and so no longer have fast links
> to play with so my knowledge is getting old, but I should be perfect for the 
> older hardware you are running :-). It also depends on how busy the link you 
> are monitoring is how much packet loss you will see. The argus man records will
> report how much loss pcap reports (because pfring doesn't do the kernel to 
> user space copy, that may not apply in this case though). Its really best to 
> have some external way (RMON on the network switches, or a network management
> system that can independently of argus report packet and/or byte counts) to 
> compare what argus sees with what the network thinks is on the wire. This isn't
> at all easy however. I'll let someone that knows about database issues answer
> your other questions. Good luck and have fun!
> 

Thank you.

> Peter Van Epp

-- 
Oguz Yarimtepe <oguzyarimtepe at gmail.com>
http://about.me/oguzy

More information about the argus mailing list