Hardware capture platforms

Nickola Kolev nikky at mnet.bg
Thu Jul 31 19:37:22 UTC 2008


Hey,

On Thu, 31 Jul 2008 16:00:36 +0100
Leon Ward <seclists at rm-rf.co.uk> wrote:

> 
> On 31 Jul 2008, at 14:16, Juuso Lehtinen wrote:
> 
> > Second that.
> >
> > Using hub to tap into a single link is also risky. I used to monitor  
> > single FE link with 100M hub. After link had moderate utilization  
> > >20%, collision led was lit all the time.
> >
> > I've had good experience with VSS Monitoring Ethernet Aggregator  
> > taps. Also Catalyst 2960 SPAN seems to work OK.
> >
> > As for capture PC, we've been using regular PC with Wireshark.  
> > That's good for single FE link, but has problem with GE and multiple  
> > links.
> 
> If you need to increase the speed of your capture tool, maybe this [1]  
> link may be of use.
> It is an implementation of a libpcap that implements a shared memory  
> ring buffer which can result in some capture performance gains.
> 
> [1] http://public.lanl.gov/cpw/

Better off - http://www.ntop.org/PF_RING.html
I've seen tenfold decrease in CPU usage using PF_RING.

> 
> -Leon

[ cut ]

-- 
Best regards,
Nickola Kolev




More information about the NANOG mailing list