North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Hardware capture platforms
- From: Joel Jaeggli
- Date: Thu Jul 31 05:04:51 2008
Warren Kumari wrote:
On Jul 29, 2008, at 10:43 PM, Darryl Dunkin wrote:
Hubs sure are fun...
This might be a stupid question, but where can one get small hubs these
days? All of the common commodity (eg: 4 port Netgear) "hubs" these
days are actually switches.
What I am looking for is:
Small enough to live in my notebook bag (e.g.: 4 port with a wall wart.)
You won't find the gig-e hub out there for sale despite some ieee 802.3
participants staunch defense of 1/2 duplex gig-e support and the
resulting complications that caused/s...
Perversely when traveling I actually use the Ethernet ports on my
soekris configured as a bridge for this application. A device with 4
Ethernet ports plus a wifi radio which can be configured as bridges,
routed, nated etc if that's what's desired. the soekris is not gig-e
capable and it's forwarding capacity is a bit closer to the low hundreds
of megs, but it travels in my bag, has disk, wifi etc.
MSI industrial makes a mini-itx mainboard that will take an intel core2
has 3 embedded gig-e ports and a 16x pci-e slot that you can put a
multiport gig or 2 x 10Gbe interface in... I have a utility 10" deep
rackmount that I drag around with that in it when I need more power than
the soekris can deliver...
While a tap would work, I'd prefer a hub because I can then use it to
connect machines together in a pinch.
In the past I have bought some cheap 4 port commodity switches (form
Circuit City or somewhere similar), found the datasheet for the chipset
(it was a Broadcom something or other) and tied the pin to ground that
disables the learning mode (actually, I think that the pin just set the
size of the learning table to be 0 entries). While this works, doing it
once was more than enough :-)
I would trunk the ports you are monitoring, and run the port monitor on
the trunk port instead (one trunk port, one port per VLAN, plus one
span) which will help with your density. This is assuming the analysis
software you have can read the dot1q tags, but means you do not need to
burn two ports per monitor.
From: James Pleger [mailto:jpleger@xxxxxxxxx]
Sent: Tuesday, July 29, 2008 19:26
Subject: Re: Hardware capture platforms
There are several things that you can do with open source solutions,
however looking at the data may be a bit more difficult than something
like Network Generals or Solera Networks capture appliances. It is
still doable and is definitely much much cheaper...
Something you might want to look into is traffic aggregation with a
switch or hub. You can buy an Allied Telesyn switch and basically turn
it into a hub by disabling switchport learning. Just an idea.
You can use regular old tcpdump with the -C option to rotate logs
tcpdump -i blah -s0 -C <filesize to rotate>, etc.
or you can use Daemonlogger which does pretty much the same thing...
On Tue, Jul 29, 2008 at 6:45 PM, Network Fortius <netfortius@xxxxxxxxx>
Richard's blog @ http://taosecurity.blogspot.com/search?q=taps and
especially his books (Tao of Network Security Monitoring and Extrusion
Detection) are the best sources I have ever found, concerning [not
taps and[/but] so much more on the subject - proper usage and best
methodologies and practices for network monitoring (and not only for
On Tue, Jul 29, 2008 at 7:12 PM, Christopher Morrow
On Wed, Jul 30, 2008 at 12:35 AM, Jared Mauch <jared@xxxxxxxxxxxxxxx>
Check out packet forensics depending on what your ultimate
I would also add a 'see packet forensics'...
On Jul 29, 2008, at 7:10 PM, "John A. Kilpatrick"
We've deployed a bunch taps in our network and now we need a
which to capture the data. Our bandwidth is currently pretty low
got 8 links to tap, which means I need 16 ports. Has anyone done
research on doing accurate packet capture with commodity hardware?
John A. Kilpatrick
john-page@xxxxxxxxxxxxx Text pages| ICQ: 19147504
remember: no obstacles/only challenges
"Build a man a fire, and he'll be warm for a day. Set a man on fire, and
he'll be warm for the rest of his life." -- Terry Pratchett