Traffic storage/analysis

[David LaPorte <dave () laportestyle org>]

Hello,

I recently picked up a cheap 100GB drive and am looking to capture traffic 
across my DSL link (all of it - I figure I can keep a month or so) for 
forensic analysis.  I'd like to use Snort, as well as tcpdump, ethereal, etc. 
to look at the data after the fact.  The primary goal is to see IP in the 
wild - ID is part of that, but not the only goal.

I'm assuming I should store in tcpdump format since it is most widely 
supported.  What should I use to capture and where should I put it - is 
tcpdump to a flat file the best way to go?

My priority is fast random access to the collected data (any sort of RAID is 
not an option - I have only one drive).  I could write out a new file every 
hour to minimize the size, but what if an event crosses an hour threshold?  Is 
anyone doing something similar?  

Sorry this is a little off-topic, but I figured someone out there must be 
logging all their traffic.

thanks,
Dave LaPorte

-- 
David LaPorte
dave () laportestyle org

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Oh, it's good to be a geek.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users