Techniques for passive traffic capturing

Matt Cable wozz at wookie.net
Wed Jun 25 21:47:50 UTC 2008


Ross Vandegrift <ross <at> kallisti.us> writes:

> 
> On Tue, Jun 24, 2008 at 01:19:03PM +1200, Nathan Ward wrote:
> > I see little point in aggregating tapped traffic, unless you have only  
> > a small amount of it and you're doing it to save cost on monitoring  
> > network interfaces - but is that saved cost still a saving when you  
> > factor in the cost of the extra 3750s in the middle? I'd guess no.
> 
> Thanks for all the info Nathan - lots of good leads in your email.
> Let me include some more information.
> 
> The problem is finding a way to multiplex that traffic from the
> optical tap to multiple things that want to peek at it.  The
> remote-span trick solves that, as well as integrating media
> converters.  3750 is nice since you can stack em up and mix/match the
> SFP and copper ports.
> 


http://www.gigamon.com.  Taps+MultiPlexing+Filtering+Clustering+10g.  I've been
using them very successfully for exactly what you describe for the last 2 years.
 If they are a bit too pricey, look at http://www.vssmonitoring.com.  Similar
capabilities to Gigamon, slightly less flexibility (fixed hardware
configurations vs Gigamon's modular configuration) and possibly cheaper
depending on your needs.





More information about the NANOG mailing list