> Please keep an open mind, and make that "where and whether".
My mind is quite open, thank you. The entire thrust of my interest is
in to what degree does bonding affect sniffing. I understand
completely that the possibilities range from having a large impact to
zero impact.
> In my experience bonding's overhead was so negligible that I doubt
> it would show up as a critical factor in any configuration.
This has not been my experience - nor does it make sense. Any
additional work that needs to be done in a high bandwidth scenario can
have a large impact on performance. For example, adding one poorly
written signature in a low volume network can go by unnoticed.
However, drop that same signature in a high bandwidth environment and
your CPU utilization goes through the roof. It stands to reason that
bonding *could* impose similar issues.
> Happily, tcpdump -s0 will capture a nice test file from wherever
> you're planning on snorting, and tcpreplay makes it easy to blast it
> back at your snorter. Set up N boxes, where N == twice the number of
> taps you're going to support, and have 'em blast into the bonded
> NICs over crossover cables, with tcpreplay. You can control the
> playback speed, you know how many packets went out, so you can
> subtract from how many were snorted to measure exactly how many were
> dropped.
Yes, this is a nice scenario to test, but I'm also interested in
hearing what people are seeing who actually use this in a real world
environment.
____
S.f.Stover
sstover (at) iwc.sytexinc (dot) com [email concealed]
My mind is quite open, thank you. The entire thrust of my interest is
in to what degree does bonding affect sniffing. I understand
completely that the possibilities range from having a large impact to
zero impact.
> In my experience bonding's overhead was so negligible that I doubt
> it would show up as a critical factor in any configuration.
This has not been my experience - nor does it make sense. Any
additional work that needs to be done in a high bandwidth scenario can
have a large impact on performance. For example, adding one poorly
written signature in a low volume network can go by unnoticed.
However, drop that same signature in a high bandwidth environment and
your CPU utilization goes through the roof. It stands to reason that
bonding *could* impose similar issues.
> Happily, tcpdump -s0 will capture a nice test file from wherever
> you're planning on snorting, and tcpreplay makes it easy to blast it
> back at your snorter. Set up N boxes, where N == twice the number of
> taps you're going to support, and have 'em blast into the bonded
> NICs over crossover cables, with tcpreplay. You can control the
> playback speed, you know how many packets went out, so you can
> subtract from how many were snorted to measure exactly how many were
> dropped.
Yes, this is a nice scenario to test, but I'm also interested in
hearing what people are seeing who actually use this in a real world
environment.
____
S.f.Stover
sstover (at) iwc.sytexinc (dot) com [email concealed]
[ reply ]