[105483] in North American Network Operators' Group
Re: Techniques for passive traffic capturing
daemon@ATHENA.MIT.EDU (Matt Cable)
Wed Jun 25 18:10:23 2008
To: nanog@nanog.org
From: Matt Cable <wozz@wookie.net>
Date: Wed, 25 Jun 2008 21:47:50 +0000 (UTC)
X-Complaints-To: usenet@ger.gmane.org
Errors-To: nanog-bounces@nanog.org
Ross Vandegrift <ross <at> kallisti.us> writes:
>
> On Tue, Jun 24, 2008 at 01:19:03PM +1200, Nathan Ward wrote:
> > I see little point in aggregating tapped traffic, unless you have only
> > a small amount of it and you're doing it to save cost on monitoring
> > network interfaces - but is that saved cost still a saving when you
> > factor in the cost of the extra 3750s in the middle? I'd guess no.
>
> Thanks for all the info Nathan - lots of good leads in your email.
> Let me include some more information.
>
> The problem is finding a way to multiplex that traffic from the
> optical tap to multiple things that want to peek at it. The
> remote-span trick solves that, as well as integrating media
> converters. 3750 is nice since you can stack em up and mix/match the
> SFP and copper ports.
>
http://www.gigamon.com. Taps+MultiPlexing+Filtering+Clustering+10g. I've been
using them very successfully for exactly what you describe for the last 2 years.
If they are a bit too pricey, look at http://www.vssmonitoring.com. Similar
capabilities to Gigamon, slightly less flexibility (fixed hardware
configurations vs Gigamon's modular configuration) and possibly cheaper
depending on your needs.
