[46434] in North American Network Operators' Group
Re: Let's talk about Distance Sniffing/Remote Visibility
daemon@ATHENA.MIT.EDU (E.B. Dreger)
Thu Mar 28 13:00:00 2002
Date: Thu, 28 Mar 2002 17:59:20 +0000 (GMT)
From: "E.B. Dreger" <eddy+public+spam@noc.everquick.net>
To: Richard A Steenbergen <ras@e-gerbil.net>
Cc: CARL.P.HIRSCH@sargentlundy.com, nanog@merit.edu
In-Reply-To: <20020328171955.GA6296@overlord.e-gerbil.net>
Message-ID: <Pine.LNX.4.20.0203281754180.6674-100000@www.everquick.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
> Date: Thu, 28 Mar 2002 12:19:55 -0500
> From: Richard A Steenbergen <ras@e-gerbil.net>
(snipping throughout)
> Disk I/O on a sniffer box? Sounds like you've been sniffing
> something other than packets my friend. :)
I like to log interesting packets; I agree with Carl.
> You can build your own box like that easily enough. If you're going for
> FastE sniffing I highly recommend the Adaptec Quartet 4-port cards. If
D-Link DFE-570TX are _very_ cheap if you're happy with 32-bit /
33 MHz PCI.
[ snip FreeBSD + Alteon ]
I did not know about the partial-packet DMA transfers. Mmmmm....
> Or if you're comfortable writing kernel code, I recommend you
> make a character device for sniffer device control, and use it
> to pass page-aligned malloc'd memory pointers from userland
> into the nic driver, which you then pass to the card as the RX
> ring buffers. This will let you DMA your packets directly into
> userland. If not, at least unhook ether_input(). :)
Never done this. About how much "capacity" does the zero-copy
approach add?
--
Eddy
Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
--
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@brics.com>
To: blacklist@brics.com
Subject: Please ignore this portion of my mail signature.
These last few lines are a trap for address-harvesting spambots. Do NOT
send mail to <blacklist@brics.com>, or you are likely to be blocked.
