Full Disclosure mailing list archives
Re: Sniffing on 1GBps
From: Valdis.Kletnieks () vt edu
Date: Sun, 18 Jun 2006 09:09:41 -0400
On Sun, 18 Jun 2006 17:58:32 +0530, crazy frog crazy frog said:
I m just wondering if it is possible to capture the data from a highspeed NIC card?if it is possible then wht kind of precaution we have to take so that we does not miss the data?
What you need: 1) A NIC that can *sustain* 1GBps (did you mean 1Gbps? GB is giga-BYTES, Gb is giga-BITS. 1Gbps is getting to be pretty standard). The two end cases you want to test are (a) back-to-back jumbograms, and (b) back-to- back *minimum* sized packets. Often, the second will make the card fall over even though the actual data transfer is far lower, due to the increased interrupt rate. Non-buggy device drivers help a lot here, as does the ability to buffer multiple packets per interrupt. 2) Is full packet capture required, or just the IP/TCP/UDP headers? It makes a big difference for data storage requirements. Similarly, if you can limit the traffic captured (a given hostname, a port, anything else that makes sense as a tcpdump or iptables filter, tec), it makes the job easier. 3) A disk subsystem that can *sustain* 125 MB/sec write rates (you'll probably need to stripe across several disks. Also, you'll need to think *really* hard if you need continuous full storage - even an hour of 125 MB/sec gets pretty honking huge.... 4) If you're trying to catch off the wire at 125MB/sec, and throw it *all* to a disk, you'll be wanting to look at high-end PCI. Quite possibly a dual-backplane system, and watch out for memory contention issues... 5) You'll need something to *process* the data as well - which gets *really* interesting if you're trying to do it real-time. Having said that, 1Gbps capture isn't particularly technically challenging. There's people out there that are looking at the 10Gbps and 40Gbps markets (these usually involve some custom silicon to do filtering so you don't try to capture the *entire* data capacity - think "Snort rules in hardware").
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Sniffing on 1GBps crazy frog crazy frog (Jun 18)
- Re: Sniffing on 1GBps Valdis . Kletnieks (Jun 18)
- Re: Sniffing on 1GBps Denis Jedig (Jun 18)
- Re: Sniffing on 1GBps 3APA3A (Jun 18)
- Message not available
- Re: Sniffing on 1GBps Fabio Pietrosanti - naif (Jun 18)
- Re: Sniffing on 1GBps Michael Holstein (Jun 19)