[106480] in North American Network Operators' Group
Re: Hardware capture platforms
daemon@ATHENA.MIT.EDU (Warren Kumari)
Wed Jul 30 14:32:55 2008
From: Warren Kumari <warren@kumari.net>
To: Darryl Dunkin <ddunkin@netos.net>
In-Reply-To: <56F5BC5F404CF84896C447397A1AAF207AF0BC@MAIL.nosi.netos.com>
Date: Wed, 30 Jul 2008 14:32:31 -0400
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
On Jul 29, 2008, at 10:43 PM, Darryl Dunkin wrote:
> Hubs sure are fun...
>
This might be a stupid question, but where can one get small hubs
these days? All of the common commodity (eg: 4 port Netgear) "hubs"
these days are actually switches.
What I am looking for is:
Small enough to live in my notebook bag (e.g.: 4 port with a wall wart.)
Cheap
Simple
10/100/1000Mbps
While a tap would work, I'd prefer a hub because I can then use it to
connect machines together in a pinch.
W
---
In the past I have bought some cheap 4 port commodity switches (form
Circuit City or somewhere similar), found the datasheet for the
chipset (it was a Broadcom something or other) and tied the pin to
ground that disables the learning mode (actually, I think that the pin
just set the size of the learning table to be 0 entries). While this
works, doing it once was more than enough :-)
> I would trunk the ports you are monitoring, and run the port monitor
> on
> the trunk port instead (one trunk port, one port per VLAN, plus one
> span) which will help with your density. This is assuming the analysis
> software you have can read the dot1q tags, but means you do not need
> to
> burn two ports per monitor.
>
> -----Original Message-----
> From: James Pleger [mailto:jpleger@gmail.com]
> Sent: Tuesday, July 29, 2008 19:26
> To: nanog@merit.edu
> Subject: Re: Hardware capture platforms
>
> There are several things that you can do with open source solutions,
> however looking at the data may be a bit more difficult than something
> like Network Generals or Solera Networks capture appliances. It is
> still doable and is definitely much much cheaper...
>
> Something you might want to look into is traffic aggregation with a
> switch or hub. You can buy an Allied Telesyn switch and basically turn
> it into a hub by disabling switchport learning. Just an idea.
>
> You can use regular old tcpdump with the -C option to rotate logs
>
> tcpdump -i blah -s0 -C <filesize to rotate>, etc.
>
> or you can use Daemonlogger which does pretty much the same thing...
>
> http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html
>
>
> On Tue, Jul 29, 2008 at 6:45 PM, Network Fortius
> <netfortius@gmail.com>
> wrote:
>> Richard's blog @ http://taosecurity.blogspot.com/search?q=taps and
>> especially his books (Tao of Network Security Monitoring and
>> Extrusion
>> Detection) are the best sources I have ever found, concerning [not
> only]
>> taps and[/but] so much more on the subject - proper usage and best
>> methodologies and practices for network monitoring (and not only for
>> security!!!)
>>
>>
>> Stefan
>>
>> On Tue, Jul 29, 2008 at 7:12 PM, Christopher Morrow
> <morrowc.lists@gmail.com
>>> wrote:
>>
>>> On Wed, Jul 30, 2008 at 12:35 AM, Jared Mauch
>>> <jared@puck.nether.net>
>>> wrote:
>>>> Check out packet forensics depending on what your ultimate
> requirements
>>> are.
>>>>
>>>
>>> I would also add a 'see packet forensics'...
>>>
>>>> On Jul 29, 2008, at 7:10 PM, "John A. Kilpatrick"
> <john@hypergeek.net>
>>>> wrote:
>>>>
>>>>>
>>>>> We've deployed a bunch taps in our network and now we need a
> platform on
>>>>> which to capture the data. Our bandwidth is currently pretty low
> but
>>> I've
>>>>> got 8 links to tap, which means I need 16 ports. Has anyone done
> any
>>>>> research on doing accurate packet capture with commodity hardware?
>>>>>
>>>>>
>>>>> --
>>>>> John A. Kilpatrick
>>>>> john@hypergeek.net Email|
> http://www.hypergeek.net/
>>>>> john-page@hypergeek.net Text pages| ICQ: 19147504
>>>>> remember: no obstacles/only challenges
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>
>
--
"Build a man a fire, and he'll be warm for a day. Set a man on fire,
and he'll be warm for the rest of his life." -- Terry Pratchett
