Hardware capture platforms
Nickola Kolev
nikky at mnet.bg
Thu Jul 31 19:37:22 UTC 2008
Hey,
On Thu, 31 Jul 2008 16:00:36 +0100
Leon Ward <seclists at rm-rf.co.uk> wrote:
>
> On 31 Jul 2008, at 14:16, Juuso Lehtinen wrote:
>
> > Second that.
> >
> > Using hub to tap into a single link is also risky. I used to monitor
> > single FE link with 100M hub. After link had moderate utilization
> > >20%, collision led was lit all the time.
> >
> > I've had good experience with VSS Monitoring Ethernet Aggregator
> > taps. Also Catalyst 2960 SPAN seems to work OK.
> >
> > As for capture PC, we've been using regular PC with Wireshark.
> > That's good for single FE link, but has problem with GE and multiple
> > links.
>
> If you need to increase the speed of your capture tool, maybe this [1]
> link may be of use.
> It is an implementation of a libpcap that implements a shared memory
> ring buffer which can result in some capture performance gains.
>
> [1] http://public.lanl.gov/cpw/
Better off - http://www.ntop.org/PF_RING.html
I've seen tenfold decrease in CPU usage using PF_RING.
>
> -Leon
[ cut ]
--
Best regards,
Nickola Kolev
More information about the NANOG
mailing list