"presampling" network traffic

[Gerardo Richarte <gera () corest com>]

sorry if this is an old practice, but the other day talking to a friend
we came up with this idea, and we liked it, so, erm... here it is for
you to ignore it. I always liked the idea of pre-sampling in electronics...

   Suppose you want to sniff all the traffic related to an attack,
but you don't know when the attack comes, so you don't know when to
start sniffing... what you can do is sniff all the time, but that
would consume a lot of storage space. So you can always have the
last, lets say, hour sniffed, drop everything older than an hour,
and when an attack is detected, swap the packet dump to a file named:
network-traffic-timestamp.tcpdump.

   that's it... simple idea I always liked from other field
ported to computer networks...

   now that I said it, you know why you should just ignore this
email, because the idea is probably being used everywhere except in
my computer

   gera