[46441] in North American Network Operators' Group
Re: Let's talk about Distance Sniffing/Remote Visibility
daemon@ATHENA.MIT.EDU (Travis Dawson)
Thu Mar 28 15:56:27 2002
Message-Id: <5.1.0.14.2.20020328110350.03e95270@mail.bluemartini.com>
Date: Thu, 28 Mar 2002 12:55:51 -0800
To: CARL.P.HIRSCH@sargentlundy.com, nanog@merit.edu
From: Travis Dawson <tdawson@bluemartini.com>
In-Reply-To: <OFF4AC5973.6F02CDCE-ON86256B8A.004ECB9A@sargentlundy.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
At 06:27 AM 3/28/2002, CARL.P.HIRSCH@sargentlundy.com wrote:
>It seems to me that the means available are A) a very expensive distributed
>NAI Sniffer installation B) standard RMON probes and the NMS of your choice
>and C) A linux box with a ton of interfaces running Ethereal accessed via
>Xwindows/VNC/whatever.
Ran into this and went with C but couldn't fit as many NIC's in
the newly christened sniffer box that I wanted.
My solution was to take an Cisco Cat 2900 (and a Foundry Workgroup switch
later) and I worked up a series of rancid scripts (since changed to SNMP
Set commands in a perl script) that would enable and disable ports along
with setting the port mirroring. This gave me 22 ports to play with, each
into a different switch so that I could directly monitor almost every FE
port in the Co-lo. Its a little 'hacky' but it works surprisingly well
(after a bit of up-front work). I haven't attempted to monitor a GigE port
yet but Im sure that a Cisco Cat 3508 would be able to do the job as well.
Hope this helps someone.
-tdawson
-Network Geek (Bit Pusher)
-BlueMartini Software
