Techniques for passive traffic capturing

• Previous message (by thread): Techniques for passive traffic capturing
• Next message (by thread): Techniques for passive traffic capturing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 24/06/2008, at 8:32 AM, Ross Vandegrift wrote:
> I've been thinking about a move to a system based on optical taps of
> each of the links.  I'd aggregate these links into something like a
> 3750 and use remote-span VLANs to pass the traffic onto servers that
> sniffing on their interface on that 3750.  Do products like the
> NetOptics Matrix Switches offer a substantial advantage?
>
> Comments or suggestions?


<braindump>
I see little point in aggregating tapped traffic, unless you have only  
a small amount of it and you're doing it to save cost on monitoring  
network interfaces - but is that saved cost still a saving when you  
factor in the cost of the extra 3750s in the middle? I'd guess no.

Depending on how well saturated your circuits are, get double- or  
quad- GE network cards (Intel make some fixed ones, there are others  
that take SFPs and fat GBICs) and plug them directly in to the optical  
taps. If you need your monitoring equipment a distance from the  
optical taps, use netoptic's regeneration taps, which split 70/30 and  
then amplify the 30 before sending to your equipment on a different  
floor/whatever.

There are other vendors, I like netoptics because they have cute  
purple optical patch leads, provide per-tap specs as tested at the  
factory, and they all worked beautifully out of the box - another  
vendor had a 50% failure rate, I've forgotten who they were though.

A PC with 4 GE optical ports is much simpler and probably more cost  
effective than doing remote span complications.

Note that for a single GE link, you'd need 2GE of remote span backhaul  
(one GE in each direction).

Matrix switches aren't useful for your case, as you're talking about  
monitoring for trending etc. I think. Matrix switches are good when  
you have lots of links, and want to be able to switch between them. Is  
the cost of matrix switch ports worth the saving in GE interfaces on  
PCs?

Netoptics have taps that aggregate several links in to one monitoring  
feed. Not really cost effective when the cost of a single GE network  
interface for a PC is so low.

The above is based on the assumption you're using PCs for monitoring,  
the economics of aggregating tap traffic may make more sense if you're  
using some fancy monitoring platform.

If you find that you need lots of GE interfaces per PC or something,  
and are saturating the PCI bus, look at DAG cards from Endace. They're  
designed for passive monitoring, and will send you only headers and do  
BPF in hardware. I looked at these for a similar project, but didn't  
bother as it was cheaper to buy more PC chassis' and commodity GE  
cards. They can do 10GE monitoring, so if you need several 10GE's per  
chassis I'd recommend these.
</braindump>

--
Nathan Ward

• Previous message (by thread): Techniques for passive traffic capturing
• Next message (by thread): Techniques for passive traffic capturing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]