[106521] in North American Network Operators' Group
Re: Hardware capture platforms
daemon@ATHENA.MIT.EDU (Nickola Kolev)
Thu Jul 31 15:38:10 2008
Date: Thu, 31 Jul 2008 22:37:22 +0300
From: Nickola Kolev <nikky@mnet.bg>
To: Leon Ward <seclists@rm-rf.co.uk>
In-Reply-To: <321A420C-B5BF-4D63-B4A9-F1C1B089046D@rm-rf.co.uk>
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
Hey,
On Thu, 31 Jul 2008 16:00:36 +0100
Leon Ward <seclists@rm-rf.co.uk> wrote:
>
> On 31 Jul 2008, at 14:16, Juuso Lehtinen wrote:
>
> > Second that.
> >
> > Using hub to tap into a single link is also risky. I used to monitor
> > single FE link with 100M hub. After link had moderate utilization
> > >20%, collision led was lit all the time.
> >
> > I've had good experience with VSS Monitoring Ethernet Aggregator
> > taps. Also Catalyst 2960 SPAN seems to work OK.
> >
> > As for capture PC, we've been using regular PC with Wireshark.
> > That's good for single FE link, but has problem with GE and multiple
> > links.
>
> If you need to increase the speed of your capture tool, maybe this [1]
> link may be of use.
> It is an implementation of a libpcap that implements a shared memory
> ring buffer which can result in some capture performance gains.
>
> [1] http://public.lanl.gov/cpw/
Better off - http://www.ntop.org/PF_RING.html
I've seen tenfold decrease in CPU usage using PF_RING.
>
> -Leon
[ cut ]
--
Best regards,
Nickola Kolev
