nanog mailing list archives
RE: Hardware capture platforms
From: "Darryl Dunkin" <ddunkin () netos net>
Date: Tue, 29 Jul 2008 19:43:15 -0700
Hubs sure are fun... I would trunk the ports you are monitoring, and run the port monitor on the trunk port instead (one trunk port, one port per VLAN, plus one span) which will help with your density. This is assuming the analysis software you have can read the dot1q tags, but means you do not need to burn two ports per monitor. -----Original Message----- From: James Pleger [mailto:jpleger () gmail com] Sent: Tuesday, July 29, 2008 19:26 To: nanog () merit edu Subject: Re: Hardware capture platforms There are several things that you can do with open source solutions, however looking at the data may be a bit more difficult than something like Network Generals or Solera Networks capture appliances. It is still doable and is definitely much much cheaper... Something you might want to look into is traffic aggregation with a switch or hub. You can buy an Allied Telesyn switch and basically turn it into a hub by disabling switchport learning. Just an idea. You can use regular old tcpdump with the -C option to rotate logs tcpdump -i blah -s0 -C <filesize to rotate>, etc. or you can use Daemonlogger which does pretty much the same thing... http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html On Tue, Jul 29, 2008 at 6:45 PM, Network Fortius <netfortius () gmail com> wrote:
Richard's blog @ http://taosecurity.blogspot.com/search?q=taps and especially his books (Tao of Network Security Monitoring and Extrusion Detection) are the best sources I have ever found, concerning [not
only]
taps and[/but] so much more on the subject - proper usage and best methodologies and practices for network monitoring (and not only for security!!!) Stefan On Tue, Jul 29, 2008 at 7:12 PM, Christopher Morrow
<morrowc.lists () gmail com
wrote:On Wed, Jul 30, 2008 at 12:35 AM, Jared Mauch <jared () puck nether net> wrote:Check out packet forensics depending on what your ultimate
requirements
are.I would also add a 'see packet forensics'...On Jul 29, 2008, at 7:10 PM, "John A. Kilpatrick"
<john () hypergeek net>
wrote:We've deployed a bunch taps in our network and now we need a
platform on
which to capture the data. Our bandwidth is currently pretty low
but
I'vegot 8 links to tap, which means I need 16 ports. Has anyone done
any
research on doing accurate packet capture with commodity hardware? -- John A. Kilpatrick john () hypergeek net Email|
http://www.hypergeek.net/
john-page () hypergeek net Text pages| ICQ: 19147504 remember: no obstacles/only challenges
Current thread:
- Hardware capture platforms John A. Kilpatrick (Jul 29)
- Re: Hardware capture platforms Jared Mauch (Jul 29)
- Re: Hardware capture platforms Christian Koch (Jul 29)
- Re: Hardware capture platforms Christopher Morrow (Jul 29)
- Re: Hardware capture platforms Network Fortius (Jul 29)
- Re: Hardware capture platforms James Pleger (Jul 29)
- RE: Hardware capture platforms Darryl Dunkin (Jul 29)
- Re: Hardware capture platforms Warren Kumari (Jul 30)
- Re: Hardware capture platforms Jon Kibler (Jul 30)
- Re: Hardware capture platforms Jay R. Ashworth (Jul 31)
- Re: Hardware capture platforms Warren Kumari (Jul 31)
- Re: Hardware capture platforms Jon Meek (Jul 31)
- Re: Hardware capture platforms Lynda (Jul 30)
- RE: Hardware capture platforms Matthew Huff (Jul 30)
- Re: Hardware capture platforms Sam Stickland (Jul 31)
- Re: Hardware capture platforms Jared Mauch (Jul 29)
- Re: Hardware capture platforms Larry J. Blunk (Jul 30)
- Re: Hardware capture platforms Joel Jaeggli (Jul 31)