[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Sniffing on 1GBps
- To: crazy frog crazy frog <i.m.crazy.frog@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Sniffing on 1GBps
- From: Michael Holstein <michael.holstein@xxxxxxxxxxx>
- Date: Mon, 19 Jun 2006 09:08:32 -0400
Sure, it's possible .. but (possible != cheap).
A cheap way to go is to use a Intel card, and enable device polling for
it in the kernel (*bsd), or use PF_RING (linux). A lot of other factors
will come into play, depending on the link utilization (sustained
line-rate capture at 1gbps is much harder than 1gpbs bursts).
While 33mhz 32bit PCI will get you close, you should get something
that's 66mhz or PCI-X, etc. You should also try to get the ethernet card
on it's own PCI bus if possible (eg: don't put it next to the RAID
card). You will also need a fairly fast disk array to offload the
capture at line rate, and you should have lots of physical memory.
If you've got deep pockets, get a dedicated capture card like the DAG
units from Endace (there are a half-dozen folks that make similar
models) .. these let you put BPF expressions on the card itself, and
offload a lot of the capture CPU overhead onto dedicated processors.
Also .. if you've got fiber as your PHY and you're using passive taps,
you'll actually need 2 cards (using receive on each card for one half
the link), and combine the two in the kernel using something like
netgraph (again, *bsd).
When doing gigabit (or faster) capture at wire-speed, a lot of other
factors like PCI bandwidth, disk bandwidth, interrupts, etc. come into play.
Good luck.
Michael Holstein CISSP GCIA
Cleveland State University
crazy frog crazy frog wrote:
Hi List,
I m just wondering if it is possible to capture the data from a
highspeed NIC card?if it is possible then wht kind of precaution we
have to take so that we does not miss the data?
thanks for any help.
-------
CF
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/