[106476] in North American Network Operators' Group
Re: Hardware capture platforms
daemon@ATHENA.MIT.EDU (James Pleger)
Tue Jul 29 22:26:23 2008
Date: Tue, 29 Jul 2008 19:26:09 -0700
From: "James Pleger" <jpleger@gmail.com>
To: "nanog@merit.edu" <nanog@merit.edu>
In-Reply-To: <ffe0b3100807291845i487b6169sf4fe992a0c95b588@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
There are several things that you can do with open source solutions,
however looking at the data may be a bit more difficult than something
like Network Generals or Solera Networks capture appliances. It is
still doable and is definitely much much cheaper...
Something you might want to look into is traffic aggregation with a
switch or hub. You can buy an Allied Telesyn switch and basically turn
it into a hub by disabling switchport learning. Just an idea.
You can use regular old tcpdump with the -C option to rotate logs
tcpdump -i blah -s0 -C <filesize to rotate>, etc.
or you can use Daemonlogger which does pretty much the same thing...
http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html
On Tue, Jul 29, 2008 at 6:45 PM, Network Fortius <netfortius@gmail.com> wrote:
> Richard's blog @ http://taosecurity.blogspot.com/search?q=taps and
> especially his books (Tao of Network Security Monitoring and Extrusion
> Detection) are the best sources I have ever found, concerning [not only]
> taps and[/but] so much more on the subject - proper usage and best
> methodologies and practices for network monitoring (and not only for
> security!!!)
>
>
> Stefan
>
> On Tue, Jul 29, 2008 at 7:12 PM, Christopher Morrow <morrowc.lists@gmail.com
>> wrote:
>
>> On Wed, Jul 30, 2008 at 12:35 AM, Jared Mauch <jared@puck.nether.net>
>> wrote:
>> > Check out packet forensics depending on what your ultimate requirements
>> are.
>> >
>>
>> I would also add a 'see packet forensics'...
>>
>> > On Jul 29, 2008, at 7:10 PM, "John A. Kilpatrick" <john@hypergeek.net>
>> > wrote:
>> >
>> >>
>> >> We've deployed a bunch taps in our network and now we need a platform on
>> >> which to capture the data. Our bandwidth is currently pretty low but
>> I've
>> >> got 8 links to tap, which means I need 16 ports. Has anyone done any
>> >> research on doing accurate packet capture with commodity hardware?
>> >>
>> >>
>> >> --
>> >> John A. Kilpatrick
>> >> john@hypergeek.net Email| http://www.hypergeek.net/
>> >> john-page@hypergeek.net Text pages| ICQ: 19147504
>> >> remember: no obstacles/only challenges
>> >>
>> >>
>> >
>> >
>>
>>
>
