Hardware capture platforms

• Previous message (by thread): Hardware capture platforms
• Next message (by thread): Hardware capture platforms
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 30 Jul 2008, at 03:26, James Pleger wrote:
>
> Something you might want to look into is traffic aggregation with a
> switch or hub. You can buy an Allied Telesyn switch and basically turn
> it into a hub by disabling switchport learning. Just an idea.

Never try to aggregate multiple TAPs with a hub.
You will just create a bucket load of collisions and end up with a  
useless data feed presented to your monitoring tool. If you want to  
aggregate multiple TAP feeds into a smaller number of devices(s), most  
of the TAP vendors make some form of link aggregation device.

Or, depending on the OS and sniffer you use, you may be able to bond  
the interfaces on the capture device.

-Leon


>
> You can use regular old tcpdump with the -C option to rotate logs
>
> tcpdump -i blah -s0 -C <filesize to rotate>, etc.
>
> or you can use Daemonlogger which does pretty much the same thing...
>
> http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html

• Previous message (by thread): Hardware capture platforms
• Next message (by thread): Hardware capture platforms
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]