Honeypots mailing list archives
"presampling" network traffic
From: Gerardo Richarte <gera () corest com>
Date: Mon, 25 Aug 2003 12:31:58 -0300
sorry if this is an old practice, but the other day talking to a friend we came up with this idea, and we liked it, so, erm... here it is for you to ignore it. I always liked the idea of pre-sampling in electronics... Suppose you want to sniff all the traffic related to an attack, but you don't know when the attack comes, so you don't know when to start sniffing... what you can do is sniff all the time, but that would consume a lot of storage space. So you can always have the last, lets say, hour sniffed, drop everything older than an hour, and when an attack is detected, swap the packet dump to a file named: network-traffic-timestamp.tcpdump. that's it... simple idea I always liked from other field ported to computer networks... now that I said it, you know why you should just ignore this email, because the idea is probably being used everywhere except in my computer gera
Current thread:
- "presampling" network traffic Gerardo Richarte (Aug 25)