[unisog] registering servers
michael.holstein at csuohio.edu
Fri Jul 28 13:10:40 GMT 2006
> But still can't seem to find the info I'm after on performance. Our
> primary link to the Internet peaks at just over 100 Mbit/sec in plus 50
> Mbit/sec out and 15,000 packets/sec in both directions. Averages for a
> 24 hour period are around 35 Mbit/sec in, 20 Mbit/sec out and 6,000
> packets/sec. Do you know what sort of machine we would need to handle
> this amount of traffic? Is it safe to assume that if the machine has a
> disk subsystem that can handle the write speed equivalent to the amount
> of traffic it sees (i.e. 150 Mbit/sec or 18.75 MByte/sec) that it will
> be able to handle the load? What sort of CPU and memory requirements
> does it have?
We have a similar amount of traffic here, and I'm doing it on a 3ghz
(HT) P4 (which is also running 2 instances of snort -- but not with full
The Argus process dosen't consume much CPU time (by comparison) at all.
I'm offloading the disk-writes by running argus on the aforementioned
machine, and the collector on a different one (that's got a big raid box
The argus logfiles aren't terribly huge .. ~10gb/day. The only PITA is
rotating them since the 'ra' process in Argus dosen't handle a SIGINT
like it ought to (but can be fixed with a script).
Note that you're not "recording" the traffic (eg .. it's not 'tcpdump -s
/some/file') .. you're just keeping track of headers and bytes, so the
storage requirements are a lot less.
Hit me off-list if you want exact statistics.
Michael Holstein CISSP GCIA
Cleveland State University
More information about the unisog