lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon Jun 19 14:07:55 2006
From: michael.holstein at csuohio.edu (Michael Holstein)
Subject: Sniffing on 1GBps

Sure, it's possible .. but (possible != cheap).

A cheap way to go is to use a Intel card, and enable device polling for 
it in the kernel (*bsd), or use PF_RING (linux). A lot of other factors 
will come into play, depending on the link utilization (sustained 
line-rate capture at 1gbps is much harder than 1gpbs bursts).

While 33mhz 32bit PCI will get you close, you should get something 
that's 66mhz or PCI-X, etc. You should also try to get the ethernet card 
on it's own PCI bus if possible (eg: don't put it next to the RAID 
card). You will also need a fairly fast disk array to offload the 
capture at line rate, and you should have lots of physical memory.

If you've got deep pockets, get a dedicated capture card like the DAG 
units from Endace (there are a half-dozen folks that make similar 
models) .. these let you put BPF expressions on the card itself, and 
offload a lot of the capture CPU overhead onto dedicated processors.

Also .. if you've got fiber as your PHY and you're using passive taps, 
you'll actually need 2 cards (using receive on each card for one half 
the link), and combine the two in the kernel using something like 
netgraph (again, *bsd).

When doing gigabit (or faster) capture at wire-speed, a lot of other 
factors like PCI bandwidth, disk bandwidth, interrupts, etc. come into play.

Good luck.

Michael Holstein CISSP GCIA
Cleveland State University

crazy frog crazy frog wrote:
> Hi List,
> I m just wondering if it is possible to capture the data from a
> highspeed NIC card?if it is possible then wht kind of precaution we
> have to take so that we does not miss the data?
> thanks for any help.
> -------
> CF
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

Powered by blists - more mailing lists