Re: port bonding and taps

["Sam f. Stover" <sstover () iwc sytexinc com>]

> Please keep an open mind, and make that "where and whether".

My mind is quite open, thank you.  The entire thrust of my interest is 
in to what degree does bonding affect sniffing.  I understand 
completely that the possibilities range from having a large impact to 
zero impact.

> In my experience bonding's overhead was so negligible that I doubt
> it would show up as a critical factor in any configuration.

This has not been my experience - nor does it make sense.  Any 
additional work that needs to be done in a high bandwidth scenario can 
have a large impact on performance.  For example, adding one poorly 
written signature in a low volume network can go by unnoticed.  
However, drop that same signature in a high bandwidth environment and 
your CPU utilization goes through the roof.  It stands to reason that 
bonding *could* impose similar issues.

> Happily, tcpdump -s0 will capture a nice test file from wherever
> you're planning on snorting, and tcpreplay makes it easy to blast it
> back at your snorter. Set up N boxes, where N == twice the number of
> taps you're going to support, and have 'em blast into the bonded
> NICs over crossover cables, with tcpreplay. You can control the
> playback speed, you know how many packets went out, so you can
> subtract from how many were snorted to measure exactly how many were
> dropped.

Yes, this is a nice scenario to test, but I'm also interested in 
hearing what people are seeing who actually use this in a real world 
environment.



____
S.f.Stover
sstover () iwc sytexinc com

Attachment: PGP.sig
Description: