Heavy Traffic Conditions
Carter Bullard
carter at qosient.com
Mon Feb 3 16:37:40 EST 2014
Hey Jeffrey,
This is how the Tilera chip port works. Each argus generates flow records
based on context of the packet stream that it gets, so if the packet capture
facility forwards packets intelligently, you’ll get some good parallelism /
concurrency. Breaks down when the packet forwarder is doing something
stupid, and you end up with the same flow being tracked by multiple argi.
That is not a disaster, just some of the metrics don’t work as well as
you would like, such as jitter.
You then use radium() to collect from all your argus instances, to generate
a single stream of argus records that represent the observation domain. As
long as the timestamps in the packets are good, then this works very well.
You can have all the argi use the same source id, although radium() may not
be completely happy with that, but it should work. Any ra* aggregator,
such as racluster(), ratop(), rabins() etc….can be used to merge records
together that should be merged because the packet forwarding layer was
broken, or if you want to try to get bi-directional flows from unidirectional
flow generators.
I think a significant number of people are doing this.
Carter
On Feb 3, 2014, at 2:48 PM, Reynolds, Jeffrey <JReynolds at utdallas.edu> wrote:
> Hello,
>
> I’m curious to know if it’s possible to having multiple instances of Argus running on one machine, and have traffic load balanced across these instances utilizing PF_RING inside of CentOS. From my understanding, PF_RING has this capability and it is used with applications such as Snort to utilize parallel processing of high bandwidth links, but I haven’t seen any documentation on how one might accomplish this with Argus. Any information on the topic would be much appreciated. Thanks!
>
> Jeff
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140203/3cea395a/attachment.sig>
More information about the argus
mailing list