RE: Hardware capture platforms

["Darryl Dunkin" <ddunkin () netos net>]

Hubs sure are fun...

I would trunk the ports you are monitoring, and run the port monitor on
the trunk port instead (one trunk port, one port per VLAN, plus one
span) which will help with your density. This is assuming the analysis
software you have can read the dot1q tags, but means you do not need to
burn two ports per monitor.

-----Original Message-----
From: James Pleger [mailto:jpleger () gmail com] 
Sent: Tuesday, July 29, 2008 19:26
To: nanog () merit edu
Subject: Re: Hardware capture platforms

There are several things that you can do with open source solutions,
however looking at the data may be a bit more difficult than something
like Network Generals or Solera Networks capture appliances. It is
still doable and is definitely much much cheaper...

Something you might want to look into is traffic aggregation with a
switch or hub. You can buy an Allied Telesyn switch and basically turn
it into a hub by disabling switchport learning. Just an idea.

You can use regular old tcpdump with the -C option to rotate logs

tcpdump -i blah -s0 -C <filesize to rotate>, etc.

or you can use Daemonlogger which does pretty much the same thing...

http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html


On Tue, Jul 29, 2008 at 6:45 PM, Network Fortius <netfortius () gmail com>
wrote:
> Richard's blog @ http://taosecurity.blogspot.com/search?q=taps and
> especially his books (Tao of Network Security Monitoring and Extrusion
> Detection) are the best sources I have ever found, concerning [not
only]
> taps and[/but] so much more on the subject - proper usage and best
> methodologies and practices for network monitoring (and not only for
> security!!!)
>
>
> Stefan
>
> On Tue, Jul 29, 2008 at 7:12 PM, Christopher Morrow
<morrowc.lists () gmail com
> > wrote:
>
> > On Wed, Jul 30, 2008 at 12:35 AM, Jared Mauch <jared () puck nether net>
> > wrote:
> > > Check out packet forensics depending on what your ultimate
requirements
> > are.
> > >
> >
> > I would also add a 'see packet forensics'...
> >
> > > On Jul 29, 2008, at 7:10 PM, "John A. Kilpatrick"
<john () hypergeek net>
> > > wrote:
> > >
> > > > We've deployed a bunch taps in our network and now we need a
platform on
> > > > which to capture the data.  Our bandwidth is currently pretty low
but
> > I've
> > > > got 8 links to tap, which means I need 16 ports.  Has anyone done
any
> > > > research on doing accurate packet capture with commodity hardware?
> > > >
> > > >
> > > > --
> > > >                              John A. Kilpatrick
> > > > john () hypergeek net                Email|
http://www.hypergeek.net/
> > > > john-page () hypergeek net      Text pages|          ICQ: 19147504
> > > >                remember:  no obstacles/only challenges