IDS mailing list archives
Re: Passive Network Taps - on the cheap
From: Packet Man <packetman () altsec info>
Date: Mon, 13 Feb 2006 17:02:14 -0600
Richard Bejtlich wrote:
You mention "ZERO network degradation" for your last two tables, but it seems you are only looking at TX and RX errors between the parties exchanging traffic. How do you measure the number of packets captured by the sensor? For example, study 3 lists workstation having 174739 "Total Packets" (TX + RX), but the sensor has 112686 "Rx packets". Does this mean 174739-112686=62053 packets (35%) were not seen by the sensor?
The traffic is measured on the target host, and on the bond0 interface of the sensor; therefore, the numbers for bond0 should be all of the traffic that the target host saw. In the initial tests, I ran timed dumps of netstat -i on the host and sensor, plus I was capturing on the sensor with tcpdump. After the test, an "eyeball" check of the packet count was made against the capture file. The study for the Linux host, was very close in packet count with no errors; with the sensor actually having a surplus of around 140 packets. I am sure that this is the result of the difference in start times for the test, with a few seconds lag between the machines. I suspect that the Windows tests have far more packets on the Windows box than the sensor due to the difference in the way Linux and Windows look at the network. But, I am rerunning the Windows box with an ethereal capture going to be able to run accurate stats on the test. I doubt that the first test really showed a 35% loss of packets, but we should know shortly.
Also, in your first doc you say: "Granted, you could very well use switch ports to aggregate the signal from the PNT's tap jacks, or maybe even a hub (haven't tried). " Connecting tap outputs to a hub makes a great collision factory, not a way to combine tap outputs. [0]. [1] Sincerely, Richard [0] http://taosecurity.blogspot.com/2005/12/taps-and-hubs-never-ever-mix-ive.html [1] http://taosecurity.blogspot.com/2005/12/taps-and-hubs-part-deux-yesterday-i.html
OK.. caught me. Brain not engaged, fingers flailing. For those who aren't aware, pg. 72 in Richard's awesome book "The Tao of Network Security Monitoring" explains exactly why we don't use hubs. :) I had read that, knew that, but screwed up anyway. Needless to say, I dropped the offending text from my paper and made sure to reference the info that Richard has on his blog regarding taps. Thanks a bunch Mr. Bejtlich. Much appreciated. -- Excellence in InfoSec and Linux http://www.altsec.info ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- Passive Network Taps - on the cheap Packet Man (Feb 13)
- Re: Passive Network Taps - on the cheap Richard Bejtlich (Feb 13)
- Re: Passive Network Taps - on the cheap Packet Man (Feb 15)
- Re: Passive Network Taps - on the cheap Richard Bejtlich (Feb 13)