Hardware capture platforms

Warren Kumari warren at kumari.net
Wed Jul 30 18:32:31 UTC 2008

On Jul 29, 2008, at 10:43 PM, Darryl Dunkin wrote:

> Hubs sure are fun...

This might be a stupid question, but where can one get small hubs  
these days? All of the common commodity (eg:  4 port Netgear) "hubs"  
these days are actually switches.

What I am looking for is:
Small enough to live in my notebook bag (e.g.: 4 port with a wall wart.)

While a tap would work, I'd prefer a hub because I can then use it to  
connect machines together in a pinch.


In the past I have bought some cheap 4 port commodity switches (form  
Circuit City or somewhere similar), found the datasheet for the  
chipset (it was a Broadcom something or other) and tied the pin to  
ground that disables the learning mode (actually, I think that the pin  
just set the size of the learning table to be 0 entries).  While this  
works, doing it once was more than enough :-)

> I would trunk the ports you are monitoring, and run the port monitor  
> on
> the trunk port instead (one trunk port, one port per VLAN, plus one
> span) which will help with your density. This is assuming the analysis
> software you have can read the dot1q tags, but means you do not need  
> to
> burn two ports per monitor.
> -----Original Message-----
> From: James Pleger [mailto:jpleger at gmail.com]
> Sent: Tuesday, July 29, 2008 19:26
> To: nanog at merit.edu
> Subject: Re: Hardware capture platforms
> There are several things that you can do with open source solutions,
> however looking at the data may be a bit more difficult than something
> like Network Generals or Solera Networks capture appliances. It is
> still doable and is definitely much much cheaper...
> Something you might want to look into is traffic aggregation with a
> switch or hub. You can buy an Allied Telesyn switch and basically turn
> it into a hub by disabling switchport learning. Just an idea.
> You can use regular old tcpdump with the -C option to rotate logs
> tcpdump -i blah -s0 -C <filesize to rotate>, etc.
> or you can use Daemonlogger which does pretty much the same thing...
> http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html
> On Tue, Jul 29, 2008 at 6:45 PM, Network Fortius  
> <netfortius at gmail.com>
> wrote:
>> Richard's blog @ http://taosecurity.blogspot.com/search?q=taps and
>> especially his books (Tao of Network Security Monitoring and  
>> Extrusion
>> Detection) are the best sources I have ever found, concerning [not
> only]
>> taps and[/but] so much more on the subject - proper usage and best
>> methodologies and practices for network monitoring (and not only for
>> security!!!)
>> Stefan
>> On Tue, Jul 29, 2008 at 7:12 PM, Christopher Morrow
> <morrowc.lists at gmail.com
>>> wrote:
>>> On Wed, Jul 30, 2008 at 12:35 AM, Jared Mauch  
>>> <jared at puck.nether.net>
>>> wrote:
>>>> Check out packet forensics depending on what your ultimate
> requirements
>>> are.
>>> I would also add a 'see packet forensics'...
>>>> On Jul 29, 2008, at 7:10 PM, "John A. Kilpatrick"
> <john at hypergeek.net>
>>>> wrote:
>>>>> We've deployed a bunch taps in our network and now we need a
> platform on
>>>>> which to capture the data.  Our bandwidth is currently pretty low
> but
>>> I've
>>>>> got 8 links to tap, which means I need 16 ports.  Has anyone done
> any
>>>>> research on doing accurate packet capture with commodity hardware?
>>>>> --
>>>>>                             John A. Kilpatrick
>>>>> john at hypergeek.net                Email|
> http://www.hypergeek.net/
>>>>> john-page at hypergeek.net      Text pages|          ICQ: 19147504
>>>>>               remember:  no obstacles/only challenges

"Build a man a fire, and he'll be warm for a day. Set a man on fire,  
and he'll be warm for the rest of his life." -- Terry Pratchett

More information about the NANOG mailing list