[unisog] registering servers

Peter Van Epp vanepp at sfu.ca
Fri Jul 28 15:06:52 GMT 2006

On Fri, Jul 28, 2006 at 01:45:55PM +1000, Tim Eden (te) wrote:
> Hi Peter,
> Thanks for the wealth of information! So it looks like if you have a two 
> box setup the hardware requirements are fairly reasonable.
> >with sufficient money performance isn't a problem
> >
> This is usually where the stumbling blocks occur.. ;-)
> Cheers,
> Tim

	By the time money becomes a big issue (and I failed to mention, the
problem Eric was talking about on the blog entry was on a 600+ meg per second
network connection :-)) the link cost dwarfs argus costs (i.e. if you can 
afford the link you can probably afford argus). Yes two box systems are best,
but as noted the second box can be any old beater and the sensor box can be
a lot smaller than the ones I'm using I'm sure. My advise is use whatever you
have, the sensor may lose packets (the man records will tell you if libpcap
is losing packets) but it will still mostly capture things. Then when it 
becomes indispensable you can upgrade til you don't lose packets if you need
to :-). Part of the reason for my boxes is that someone did a GigE benchmark 
and the Tyan Thunder motherboard with SysKonnect fibre gig cards can (and still
does) fill the pipe at Gig so I just bought the same setup. I suspect on a 100 
link any pretty much any box today would do the job. If you have a Mac PowerPC 
Xserve around it would make an excellent sensor (its correct endian which adds
a suprising amount of efficiency to argus processing due to the saving in byte
swapping at high link speeds, thats why I am switching to my P510 boxes). The 
Gig cards (if you need Gig) need 64 bit PCI (pretty common these days) to make 
full speed but at 100 I suspect that I could substitute another 600 meg P3 and 
still work on my commodity link (the SysKonnect cards wouldn't like it though 
:-)). It would also be fine as a first cut to use a single box and write to 
local disk. You will see a bit of packet loss but it isn't signifigant and is
probably easier to set up initially (althought the two box solution is still
pretty simple, and scripts to do it all are included in my perl traffic 
reporting tar ball). 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the unisog mailing list