Hardware capture platforms
Warren Kumari
warren at kumari.net
Wed Jul 30 18:32:31 UTC 2008
On Jul 29, 2008, at 10:43 PM, Darryl Dunkin wrote:
> Hubs sure are fun...
>
This might be a stupid question, but where can one get small hubs
these days? All of the common commodity (eg: 4 port Netgear) "hubs"
these days are actually switches.
What I am looking for is:
Small enough to live in my notebook bag (e.g.: 4 port with a wall wart.)
Cheap
Simple
10/100/1000Mbps
While a tap would work, I'd prefer a hub because I can then use it to
connect machines together in a pinch.
W
---
In the past I have bought some cheap 4 port commodity switches (form
Circuit City or somewhere similar), found the datasheet for the
chipset (it was a Broadcom something or other) and tied the pin to
ground that disables the learning mode (actually, I think that the pin
just set the size of the learning table to be 0 entries). While this
works, doing it once was more than enough :-)
> I would trunk the ports you are monitoring, and run the port monitor
> on
> the trunk port instead (one trunk port, one port per VLAN, plus one
> span) which will help with your density. This is assuming the analysis
> software you have can read the dot1q tags, but means you do not need
> to
> burn two ports per monitor.
>
> -----Original Message-----
> From: James Pleger [mailto:jpleger at gmail.com]
> Sent: Tuesday, July 29, 2008 19:26
> To: nanog at merit.edu
> Subject: Re: Hardware capture platforms
>
> There are several things that you can do with open source solutions,
> however looking at the data may be a bit more difficult than something
> like Network Generals or Solera Networks capture appliances. It is
> still doable and is definitely much much cheaper...
>
> Something you might want to look into is traffic aggregation with a
> switch or hub. You can buy an Allied Telesyn switch and basically turn
> it into a hub by disabling switchport learning. Just an idea.
>
> You can use regular old tcpdump with the -C option to rotate logs
>
> tcpdump -i blah -s0 -C <filesize to rotate>, etc.
>
> or you can use Daemonlogger which does pretty much the same thing...
>
> http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html
>
>
> On Tue, Jul 29, 2008 at 6:45 PM, Network Fortius
> <netfortius at gmail.com>
> wrote:
>> Richard's blog @ http://taosecurity.blogspot.com/search?q=taps and
>> especially his books (Tao of Network Security Monitoring and
>> Extrusion
>> Detection) are the best sources I have ever found, concerning [not
> only]
>> taps and[/but] so much more on the subject - proper usage and best
>> methodologies and practices for network monitoring (and not only for
>> security!!!)
>>
>>
>> Stefan
>>
>> On Tue, Jul 29, 2008 at 7:12 PM, Christopher Morrow
> <morrowc.lists at gmail.com
>>> wrote:
>>
>>> On Wed, Jul 30, 2008 at 12:35 AM, Jared Mauch
>>> <jared at puck.nether.net>
>>> wrote:
>>>> Check out packet forensics depending on what your ultimate
> requirements
>>> are.
>>>>
>>>
>>> I would also add a 'see packet forensics'...
>>>
>>>> On Jul 29, 2008, at 7:10 PM, "John A. Kilpatrick"
> <john at hypergeek.net>
>>>> wrote:
>>>>
>>>>>
>>>>> We've deployed a bunch taps in our network and now we need a
> platform on
>>>>> which to capture the data. Our bandwidth is currently pretty low
> but
>>> I've
>>>>> got 8 links to tap, which means I need 16 ports. Has anyone done
> any
>>>>> research on doing accurate packet capture with commodity hardware?
>>>>>
>>>>>
>>>>> --
>>>>> John A. Kilpatrick
>>>>> john at hypergeek.net Email|
> http://www.hypergeek.net/
>>>>> john-page at hypergeek.net Text pages| ICQ: 19147504
>>>>> remember: no obstacles/only challenges
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>
>
--
"Build a man a fire, and he'll be warm for a day. Set a man on fire,
and he'll be warm for the rest of his life." -- Terry Pratchett
More information about the NANOG
mailing list