North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Hardware capture platforms
- From: Leon Ward
- Date: Thu Jul 31 11:01:06 2008
On 31 Jul 2008, at 14:16, Juuso Lehtinen wrote:
Using hub to tap into a single link is also risky. I used to monitor
single FE link with 100M hub. After link had moderate utilization
>20%, collision led was lit all the time.
I've had good experience with VSS Monitoring Ethernet Aggregator
taps. Also Catalyst 2960 SPAN seems to work OK.
As for capture PC, we've been using regular PC with Wireshark.
That's good for single FE link, but has problem with GE and multiple
If you need to increase the speed of your capture tool, maybe this 
link may be of use.
It is an implementation of a libpcap that implements a shared memory
ring buffer which can result in some capture performance gains.
On Wed, Jul 30, 2008 at 4:26 PM, Leon Ward <seclists@xxxxxxxxxxx>
On 30 Jul 2008, at 03:26, James Pleger wrote:
Something you might want to look into is traffic aggregation with a
switch or hub. You can buy an Allied Telesyn switch and basically turn
it into a hub by disabling switchport learning. Just an idea.
Never try to aggregate multiple TAPs with a hub.
You will just create a bucket load of collisions and end up with a
useless data feed presented to your monitoring tool. If you want to
aggregate multiple TAP feeds into a smaller number of devices(s),
most of the TAP vendors make some form of link aggregation device.
Or, depending on the OS and sniffer you use, you may be able to bond
the interfaces on the capture device.
You can use regular old tcpdump with the -C option to rotate logs
tcpdump -i blah -s0 -C <filesize to rotate>, etc.
or you can use Daemonlogger which does pretty much the same thing...