[106503] in North American Network Operators' Group
Re: Hardware capture platforms
daemon@ATHENA.MIT.EDU (Leon Ward)
Thu Jul 31 11:01:11 2008
From: Leon Ward <seclists@rm-rf.co.uk>
To: Juuso Lehtinen <juuso.lehtinen@gmail.com>
In-Reply-To: <c102c70c0807310616q2b7cbc6fsf9749cabae2b11f1@mail.gmail.com>
Date: Thu, 31 Jul 2008 16:00:36 +0100
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
On 31 Jul 2008, at 14:16, Juuso Lehtinen wrote:
> Second that.
>
> Using hub to tap into a single link is also risky. I used to monitor
> single FE link with 100M hub. After link had moderate utilization
> >20%, collision led was lit all the time.
>
> I've had good experience with VSS Monitoring Ethernet Aggregator
> taps. Also Catalyst 2960 SPAN seems to work OK.
>
> As for capture PC, we've been using regular PC with Wireshark.
> That's good for single FE link, but has problem with GE and multiple
> links.
If you need to increase the speed of your capture tool, maybe this [1]
link may be of use.
It is an implementation of a libpcap that implements a shared memory
ring buffer which can result in some capture performance gains.
[1] http://public.lanl.gov/cpw/
-Leon
> BR,
> Juuso
>
> On Wed, Jul 30, 2008 at 4:26 PM, Leon Ward <seclists@rm-rf.co.uk>
> wrote:
>
> On 30 Jul 2008, at 03:26, James Pleger wrote:
>
> Something you might want to look into is traffic aggregation with a
> switch or hub. You can buy an Allied Telesyn switch and basically turn
> it into a hub by disabling switchport learning. Just an idea.
>
> Never try to aggregate multiple TAPs with a hub.
> You will just create a bucket load of collisions and end up with a
> useless data feed presented to your monitoring tool. If you want to
> aggregate multiple TAP feeds into a smaller number of devices(s),
> most of the TAP vendors make some form of link aggregation device.
>
> Or, depending on the OS and sniffer you use, you may be able to bond
> the interfaces on the capture device.
>
> -Leon
>
>
>
>
> You can use regular old tcpdump with the -C option to rotate logs
>
> tcpdump -i blah -s0 -C <filesize to rotate>, etc.
>
> or you can use Daemonlogger which does pretty much the same thing...
>
> http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html
>
>
>
