nanog mailing list archives
Re: Hardware capture platforms
From: Warren Kumari <warren () kumari net>
Date: Wed, 30 Jul 2008 14:32:31 -0400
On Jul 29, 2008, at 10:43 PM, Darryl Dunkin wrote:
Hubs sure are fun...
This might be a stupid question, but where can one get small hubs these days? All of the common commodity (eg: 4 port Netgear) "hubs" these days are actually switches.
What I am looking for is: Small enough to live in my notebook bag (e.g.: 4 port with a wall wart.) Cheap Simple 10/100/1000MbpsWhile a tap would work, I'd prefer a hub because I can then use it to connect machines together in a pinch.
W ---In the past I have bought some cheap 4 port commodity switches (form Circuit City or somewhere similar), found the datasheet for the chipset (it was a Broadcom something or other) and tied the pin to ground that disables the learning mode (actually, I think that the pin just set the size of the learning table to be 0 entries). While this works, doing it once was more than enough :-)
I would trunk the ports you are monitoring, and run the port monitor onthe trunk port instead (one trunk port, one port per VLAN, plus one span) which will help with your density. This is assuming the analysissoftware you have can read the dot1q tags, but means you do not need toburn two ports per monitor. -----Original Message----- From: James Pleger [mailto:jpleger () gmail com] Sent: Tuesday, July 29, 2008 19:26 To: nanog () merit edu Subject: Re: Hardware capture platforms There are several things that you can do with open source solutions, however looking at the data may be a bit more difficult than something like Network Generals or Solera Networks capture appliances. It is still doable and is definitely much much cheaper... Something you might want to look into is traffic aggregation with a switch or hub. You can buy an Allied Telesyn switch and basically turn it into a hub by disabling switchport learning. Just an idea. You can use regular old tcpdump with the -C option to rotate logs tcpdump -i blah -s0 -C <filesize to rotate>, etc. or you can use Daemonlogger which does pretty much the same thing... http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.htmlOn Tue, Jul 29, 2008 at 6:45 PM, Network Fortius <netfortius () gmail com>wrote:Richard's blog @ http://taosecurity.blogspot.com/search?q=taps andespecially his books (Tao of Network Security Monitoring and ExtrusionDetection) are the best sources I have ever found, concerning [notonly]taps and[/but] so much more on the subject - proper usage and best methodologies and practices for network monitoring (and not only for security!!!) Stefan On Tue, Jul 29, 2008 at 7:12 PM, Christopher Morrow<morrowc.lists () gmail comwrote:On Wed, Jul 30, 2008 at 12:35 AM, Jared Mauch <jared () puck nether net>wrote:Check out packet forensics depending on what your ultimaterequirementsare.I would also add a 'see packet forensics'...On Jul 29, 2008, at 7:10 PM, "John A. Kilpatrick"<john () hypergeek net>wrote:We've deployed a bunch taps in our network and now we need aplatform onwhich to capture the data. Our bandwidth is currently pretty lowbutI'vegot 8 links to tap, which means I need 16 ports. Has anyone doneanyresearch on doing accurate packet capture with commodity hardware? -- John A. Kilpatrick john () hypergeek net Email|http://www.hypergeek.net/john-page () hypergeek net Text pages| ICQ: 19147504 remember: no obstacles/only challenges
--"Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life." -- Terry Pratchett
Current thread:
- Hardware capture platforms John A. Kilpatrick (Jul 29)
- Re: Hardware capture platforms Jared Mauch (Jul 29)
- Re: Hardware capture platforms Christian Koch (Jul 29)
- Re: Hardware capture platforms Christopher Morrow (Jul 29)
- Re: Hardware capture platforms Network Fortius (Jul 29)
- Re: Hardware capture platforms James Pleger (Jul 29)
- RE: Hardware capture platforms Darryl Dunkin (Jul 29)
- Re: Hardware capture platforms Warren Kumari (Jul 30)
- Re: Hardware capture platforms Jon Kibler (Jul 30)
- Re: Hardware capture platforms Jay R. Ashworth (Jul 31)
- Re: Hardware capture platforms Warren Kumari (Jul 31)
- Re: Hardware capture platforms Jon Meek (Jul 31)
- Re: Hardware capture platforms Lynda (Jul 30)
- RE: Hardware capture platforms Matthew Huff (Jul 30)
- Re: Hardware capture platforms Sam Stickland (Jul 31)
- Re: Hardware capture platforms Jared Mauch (Jul 29)
- Re: Hardware capture platforms Larry J. Blunk (Jul 30)
- Re: Hardware capture platforms Joel Jaeggli (Jul 31)
- Re: Hardware capture platforms Leon Ward (Jul 30)