argus configuration with upstream router
Michael Sanderson
sanders at cs.ubc.ca
Tue May 7 14:11:47 EDT 2013
I'm looking for suggestions of how to configure argus to accurately report traffic in a network configuration where my argus sensor is on my side of an upstream router. I'm in a University department with multiple subnets on virtual LANs switched internally, but with a tapped link to the University's router. Something like this, with taps on TX and RX to the argus sensor box.
SW <-> +-------------------+ +---------------+
SW <-> |aggregrator switch | -> TX -> |router/firewall| -> Internet
SW <-> +-------------------+ <- RX <- +---------------+
My current configuration of argus with ARGUS_INTERFACE=dup:eth0,eth1/uplink results in double counting of local, routed traffic (once on TX and once on RX). Using bond results in the same thing.
To correct this, I've been thinking of moving to independent interfaces, capturing all traffic on RX to get both local routed traffic and inbound Internet traffic, and capturing only Internet bound TX traffic. However, I'm not 100% positive this will work. Is this the right path, and what are the gotchas I should be aware of with respect to ensuring my Internet flows see both src and dst packets? Is there a better direction to be looking at?
Thanks,
Michael Sanderson
More information about the argus
mailing list