[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4496A1D0.20904@csuohio.edu>
Date: Mon Jun 19 14:07:55 2006
From: michael.holstein at csuohio.edu (Michael Holstein)
Subject: Sniffing on 1GBps
Sure, it's possible .. but (possible != cheap).
A cheap way to go is to use a Intel card, and enable device polling for
it in the kernel (*bsd), or use PF_RING (linux). A lot of other factors
will come into play, depending on the link utilization (sustained
line-rate capture at 1gbps is much harder than 1gpbs bursts).
While 33mhz 32bit PCI will get you close, you should get something
that's 66mhz or PCI-X, etc. You should also try to get the ethernet card
on it's own PCI bus if possible (eg: don't put it next to the RAID
card). You will also need a fairly fast disk array to offload the
capture at line rate, and you should have lots of physical memory.
If you've got deep pockets, get a dedicated capture card like the DAG
units from Endace (there are a half-dozen folks that make similar
models) .. these let you put BPF expressions on the card itself, and
offload a lot of the capture CPU overhead onto dedicated processors.
Also .. if you've got fiber as your PHY and you're using passive taps,
you'll actually need 2 cards (using receive on each card for one half
the link), and combine the two in the kernel using something like
netgraph (again, *bsd).
When doing gigabit (or faster) capture at wire-speed, a lot of other
factors like PCI bandwidth, disk bandwidth, interrupts, etc. come into play.
Good luck.
Michael Holstein CISSP GCIA
Cleveland State University
crazy frog crazy frog wrote:
> Hi List,
> I m just wondering if it is possible to capture the data from a
> highspeed NIC card?if it is possible then wht kind of precaution we
> have to take so that we does not miss the data?
> thanks for any help.
> -------
> CF
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Powered by blists - more mailing lists