Hardware capture platforms
Joel Jaeggli
joelja at bogus.com
Thu Jul 31 09:04:23 UTC 2008
Warren Kumari wrote:
>
> On Jul 29, 2008, at 10:43 PM, Darryl Dunkin wrote:
>
>> Hubs sure are fun...
>>
>
> This might be a stupid question, but where can one get small hubs these
> days? All of the common commodity (eg: 4 port Netgear) "hubs" these
> days are actually switches.
>
> What I am looking for is:
> Small enough to live in my notebook bag (e.g.: 4 port with a wall wart.)
> Cheap
> Simple
> 10/100/1000Mbps
You won't find the gig-e hub out there for sale despite some ieee 802.3
participants staunch defense of 1/2 duplex gig-e support and the
resulting complications that caused/s...
Perversely when traveling I actually use the Ethernet ports on my
soekris configured as a bridge for this application. A device with 4
Ethernet ports plus a wifi radio which can be configured as bridges,
routed, nated etc if that's what's desired. the soekris is not gig-e
capable and it's forwarding capacity is a bit closer to the low hundreds
of megs, but it travels in my bag, has disk, wifi etc.
MSI industrial makes a mini-itx mainboard that will take an intel core2
has 3 embedded gig-e ports and a 16x pci-e slot that you can put a
multiport gig or 2 x 10Gbe interface in... I have a utility 10" deep
rackmount that I drag around with that in it when I need more power than
the soekris can deliver...
http://www.logicsupply.com/products/ms_9642
> While a tap would work, I'd prefer a hub because I can then use it to
> connect machines together in a pinch.
>
> W
> ---
>
> In the past I have bought some cheap 4 port commodity switches (form
> Circuit City or somewhere similar), found the datasheet for the chipset
> (it was a Broadcom something or other) and tied the pin to ground that
> disables the learning mode (actually, I think that the pin just set the
> size of the learning table to be 0 entries). While this works, doing it
> once was more than enough :-)
>
>> I would trunk the ports you are monitoring, and run the port monitor on
>> the trunk port instead (one trunk port, one port per VLAN, plus one
>> span) which will help with your density. This is assuming the analysis
>> software you have can read the dot1q tags, but means you do not need to
>> burn two ports per monitor.
>>
>> -----Original Message-----
>> From: James Pleger [mailto:jpleger at gmail.com]
>> Sent: Tuesday, July 29, 2008 19:26
>> To: nanog at merit.edu
>> Subject: Re: Hardware capture platforms
>>
>> There are several things that you can do with open source solutions,
>> however looking at the data may be a bit more difficult than something
>> like Network Generals or Solera Networks capture appliances. It is
>> still doable and is definitely much much cheaper...
>>
>> Something you might want to look into is traffic aggregation with a
>> switch or hub. You can buy an Allied Telesyn switch and basically turn
>> it into a hub by disabling switchport learning. Just an idea.
>>
>> You can use regular old tcpdump with the -C option to rotate logs
>>
>> tcpdump -i blah -s0 -C <filesize to rotate>, etc.
>>
>> or you can use Daemonlogger which does pretty much the same thing...
>>
>> http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html
>>
>>
>> On Tue, Jul 29, 2008 at 6:45 PM, Network Fortius <netfortius at gmail.com>
>> wrote:
>>> Richard's blog @ http://taosecurity.blogspot.com/search?q=taps and
>>> especially his books (Tao of Network Security Monitoring and Extrusion
>>> Detection) are the best sources I have ever found, concerning [not
>> only]
>>> taps and[/but] so much more on the subject - proper usage and best
>>> methodologies and practices for network monitoring (and not only for
>>> security!!!)
>>>
>>>
>>> Stefan
>>>
>>> On Tue, Jul 29, 2008 at 7:12 PM, Christopher Morrow
>> <morrowc.lists at gmail.com
>>>> wrote:
>>>
>>>> On Wed, Jul 30, 2008 at 12:35 AM, Jared Mauch <jared at puck.nether.net>
>>>> wrote:
>>>>> Check out packet forensics depending on what your ultimate
>> requirements
>>>> are.
>>>>>
>>>>
>>>> I would also add a 'see packet forensics'...
>>>>
>>>>> On Jul 29, 2008, at 7:10 PM, "John A. Kilpatrick"
>> <john at hypergeek.net>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>> We've deployed a bunch taps in our network and now we need a
>> platform on
>>>>>> which to capture the data. Our bandwidth is currently pretty low
>> but
>>>> I've
>>>>>> got 8 links to tap, which means I need 16 ports. Has anyone done
>> any
>>>>>> research on doing accurate packet capture with commodity hardware?
>>>>>>
>>>>>>
>>>>>> --
>>>>>> John A. Kilpatrick
>>>>>> john at hypergeek.net Email|
>> http://www.hypergeek.net/
>>>>>> john-page at hypergeek.net Text pages| ICQ: 19147504
>>>>>> remember: no obstacles/only challenges
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
>
> --
> "Build a man a fire, and he'll be warm for a day. Set a man on fire, and
> he'll be warm for the rest of his life." -- Terry Pratchett
>
>
>
More information about the NANOG
mailing list