Re: Sniffing on 1GBps

[Denis Jedig <seclists () syneticon de>]

crazy frog crazy frog wrote:

> I m just wondering if it is possible to capture the data from a
> highspeed NIC card?if it is possible then wht kind of precaution we
> have to take so that we does not miss the data?

If you want to do this transparently without changing the system tapped, 
this is typically achieved with the use of dedicated probes which get 
hooked in between the system and e.g. the switch. The probes are 
typically equipped with buffer memory and have two output channels to be 
able to cope up with full duplex operation in real time. Google will 
help you to find manufacturers:
http://www.google.de/search?q=gigabit+ethernet+probe

There are some papers dealing with capturing and performance issues on 
the net, some of them published by members of the Winpcap team:
http://www.winpcap.org/docs/iscc01-wpcap.pdf which share the basic idea 
that filtering should not be done within the application but either in 
the kernel or in the capturing device to reduce the number of copy 
operations and thus the load on the capturing system.

Denis

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/