Hardware capture platforms

Joel Jaeggli joelja at bogus.com
Thu Jul 31 04:04:23 CDT 2008


Warren Kumari wrote:
> 
> On Jul 29, 2008, at 10:43 PM, Darryl Dunkin wrote:
> 
>> Hubs sure are fun...
>>
> 
> This might be a stupid question, but where can one get small hubs these 
> days? All of the common commodity (eg:  4 port Netgear) "hubs" these 
> days are actually switches.
> 
> What I am looking for is:
> Small enough to live in my notebook bag (e.g.: 4 port with a wall wart.)
> Cheap
> Simple
> 10/100/1000Mbps

You won't find the gig-e hub out there for sale despite some ieee 802.3 
participants staunch defense of 1/2 duplex gig-e support and the 
resulting complications that caused/s...

Perversely  when traveling I actually use the Ethernet ports on my 
soekris configured as a bridge for this application. A device with 4 
Ethernet ports plus a wifi radio which can be configured as bridges, 
routed, nated etc if that's what's desired. the soekris is not gig-e 
capable and it's forwarding capacity is a bit closer to the low hundreds 
of megs, but it travels in my bag, has disk, wifi etc.

MSI industrial makes a mini-itx mainboard that will take an intel core2 
has 3 embedded gig-e ports and a 16x pci-e slot that you can put a 
multiport gig or 2 x 10Gbe interface in... I have a utility 10" deep 
rackmount that I drag around with that in it when I need more power than 
the soekris can deliver...

http://www.logicsupply.com/products/ms_9642



> While a tap would work, I'd prefer a hub because I can then use it to 
> connect machines together in a pinch.
> 
> W
> ---
> 
> In the past I have bought some cheap 4 port commodity switches (form 
> Circuit City or somewhere similar), found the datasheet for the chipset 
> (it was a Broadcom something or other) and tied the pin to ground that 
> disables the learning mode (actually, I think that the pin just set the 
> size of the learning table to be 0 entries).  While this works, doing it 
> once was more than enough :-)
> 
>> I would trunk the ports you are monitoring, and run the port monitor on
>> the trunk port instead (one trunk port, one port per VLAN, plus one
>> span) which will help with your density. This is assuming the analysis
>> software you have can read the dot1q tags, but means you do not need to
>> burn two ports per monitor.
>>
>> -----Original Message-----
>> From: James Pleger [mailto:jpleger at gmail.com]
>> Sent: Tuesday, July 29, 2008 19:26
>> To: nanog at merit.edu
>> Subject: Re: Hardware capture platforms
>>
>> There are several things that you can do with open source solutions,
>> however looking at the data may be a bit more difficult than something
>> like Network Generals or Solera Networks capture appliances. It is
>> still doable and is definitely much much cheaper...
>>
>> Something you might want to look into is traffic aggregation with a
>> switch or hub. You can buy an Allied Telesyn switch and basically turn
>> it into a hub by disabling switchport learning. Just an idea.
>>
>> You can use regular old tcpdump with the -C option to rotate logs
>>
>> tcpdump -i blah -s0 -C <filesize to rotate>, etc.
>>
>> or you can use Daemonlogger which does pretty much the same thing...
>>
>> http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html
>>
>>
>> On Tue, Jul 29, 2008 at 6:45 PM, Network Fortius <netfortius at gmail.com>
>> wrote:
>>> Richard's blog @ http://taosecurity.blogspot.com/search?q=taps and
>>> especially his books (Tao of Network Security Monitoring and Extrusion
>>> Detection) are the best sources I have ever found, concerning [not
>> only]
>>> taps and[/but] so much more on the subject - proper usage and best
>>> methodologies and practices for network monitoring (and not only for
>>> security!!!)
>>>
>>>
>>> Stefan
>>>
>>> On Tue, Jul 29, 2008 at 7:12 PM, Christopher Morrow
>> <morrowc.lists at gmail.com
>>>> wrote:
>>>
>>>> On Wed, Jul 30, 2008 at 12:35 AM, Jared Mauch <jared at puck.nether.net>
>>>> wrote:
>>>>> Check out packet forensics depending on what your ultimate
>> requirements
>>>> are.
>>>>>
>>>>
>>>> I would also add a 'see packet forensics'...
>>>>
>>>>> On Jul 29, 2008, at 7:10 PM, "John A. Kilpatrick"
>> <john at hypergeek.net>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>> We've deployed a bunch taps in our network and now we need a
>> platform on
>>>>>> which to capture the data.  Our bandwidth is currently pretty low
>> but
>>>> I've
>>>>>> got 8 links to tap, which means I need 16 ports.  Has anyone done
>> any
>>>>>> research on doing accurate packet capture with commodity hardware?
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>>                             John A. Kilpatrick
>>>>>> john at hypergeek.net                Email|
>> http://www.hypergeek.net/
>>>>>> john-page at hypergeek.net      Text pages|          ICQ: 19147504
>>>>>>               remember:  no obstacles/only challenges
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
> 
> -- 
> "Build a man a fire, and he'll be warm for a day. Set a man on fire, and 
> he'll be warm for the rest of his life." -- Terry Pratchett
> 
> 
> 





More information about the NANOG mailing list