Hardware capture platforms
nikky at mnet.bg
Thu Jul 31 14:37:22 CDT 2008
On Thu, 31 Jul 2008 16:00:36 +0100
Leon Ward <seclists at rm-rf.co.uk> wrote:
> On 31 Jul 2008, at 14:16, Juuso Lehtinen wrote:
> > Second that.
> > Using hub to tap into a single link is also risky. I used to monitor
> > single FE link with 100M hub. After link had moderate utilization
> > >20%, collision led was lit all the time.
> > I've had good experience with VSS Monitoring Ethernet Aggregator
> > taps. Also Catalyst 2960 SPAN seems to work OK.
> > As for capture PC, we've been using regular PC with Wireshark.
> > That's good for single FE link, but has problem with GE and multiple
> > links.
> If you need to increase the speed of your capture tool, maybe this 
> link may be of use.
> It is an implementation of a libpcap that implements a shared memory
> ring buffer which can result in some capture performance gains.
>  http://public.lanl.gov/cpw/
Better off - http://www.ntop.org/PF_RING.html
I've seen tenfold decrease in CPU usage using PF_RING.
[ cut ]
More information about the NANOG