lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon Jun 19 14:07:55 2006 From: michael.holstein at csuohio.edu (Michael Holstein) Subject: Sniffing on 1GBps Sure, it's possible .. but (possible != cheap). A cheap way to go is to use a Intel card, and enable device polling for it in the kernel (*bsd), or use PF_RING (linux). A lot of other factors will come into play, depending on the link utilization (sustained line-rate capture at 1gbps is much harder than 1gpbs bursts). While 33mhz 32bit PCI will get you close, you should get something that's 66mhz or PCI-X, etc. You should also try to get the ethernet card on it's own PCI bus if possible (eg: don't put it next to the RAID card). You will also need a fairly fast disk array to offload the capture at line rate, and you should have lots of physical memory. If you've got deep pockets, get a dedicated capture card like the DAG units from Endace (there are a half-dozen folks that make similar models) .. these let you put BPF expressions on the card itself, and offload a lot of the capture CPU overhead onto dedicated processors. Also .. if you've got fiber as your PHY and you're using passive taps, you'll actually need 2 cards (using receive on each card for one half the link), and combine the two in the kernel using something like netgraph (again, *bsd). When doing gigabit (or faster) capture at wire-speed, a lot of other factors like PCI bandwidth, disk bandwidth, interrupts, etc. come into play. Good luck. Michael Holstein CISSP GCIA Cleveland State University crazy frog crazy frog wrote: > Hi List, > I m just wondering if it is possible to capture the data from a > highspeed NIC card?if it is possible then wht kind of precaution we > have to take so that we does not miss the data? > thanks for any help. > ------- > CF > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
Powered by blists - more mailing lists