Techniques for passive traffic capturing
wozz at wookie.net
Wed Jun 25 21:47:50 UTC 2008
Ross Vandegrift <ross <at> kallisti.us> writes:
> On Tue, Jun 24, 2008 at 01:19:03PM +1200, Nathan Ward wrote:
> > I see little point in aggregating tapped traffic, unless you have only
> > a small amount of it and you're doing it to save cost on monitoring
> > network interfaces - but is that saved cost still a saving when you
> > factor in the cost of the extra 3750s in the middle? I'd guess no.
> Thanks for all the info Nathan - lots of good leads in your email.
> Let me include some more information.
> The problem is finding a way to multiplex that traffic from the
> optical tap to multiple things that want to peek at it. The
> remote-span trick solves that, as well as integrating media
> converters. 3750 is nice since you can stack em up and mix/match the
> SFP and copper ports.
http://www.gigamon.com. Taps+MultiPlexing+Filtering+Clustering+10g. I've been
using them very successfully for exactly what you describe for the last 2 years.
If they are a bit too pricey, look at http://www.vssmonitoring.com. Similar
capabilities to Gigamon, slightly less flexibility (fixed hardware
configurations vs Gigamon's modular configuration) and possibly cheaper
depending on your needs.
More information about the NANOG