Good stuff... the real key is to understand what you want
OUT of the data so you can make sure you collect the RIGHT data. For many
sites, they simply don't care about interior traffic and a passive port on the
external link(s) is enough. If you don't know what you want, then you need
to investigate commercial packet capture/logging solutions - they archive all
the GB of packets over a period of days or weeks (depends on your budget for
storage, naturally). While those will provide you with the historical
data and drill down, they come at commercial prices (think 5-6 figures
US$).
Also, two other points
1. Many folks seem to focus on Cisco as if that's the ONLY
switches and routers in use. Other companies offer other capabilities, so
look in your docs for something called (span - Cisco), mirror, traffic monitor,
etc.
2. For 10/100 links the passive taps Chris pointed you to
work great. For faster links and for fibre, you will need to purchase
commercial units - these run $400 and UP...
-----Burton From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Moore Sent: Friday, December 30, 2005 10:54 AM To: ntop@Unipi.IT Subject: RE: [Ntop] Packet Capture I'd say tap placement is the biggest challenge for Ntop (or
any packet analyser) implementation. There are a lot of issues. As said, on a
Cisco you can mirror an entire VLAN - but if that VLAN spans multiple switches,
you'll end up eating up tons of bandwidth on the trunks between switches. And if
you mirror a bunch of ports or a VLAN to one port you miss things if the total
traffic for all those ports exceeds the bandwidth of that one port. For example,
I had a request from my higher-ups (regular readers of this list may recall how
well we see eye-to-eye) to mirror all the ports on 5 48-port gig switches to one
Snort box recently. Er.......there's a reason we bought 240 gig ports; don't you
think there's a chance we have more than 1 gig total traffic flowing across
these switches from time to time?
My solution is to have multiple Ntop boxes at strategic
points on the network - router interfaces, firewall interfaces, etc. I use a
mixture of port mirrors and passive taps (http://www.snort.org/docs/tap/). Then
look at those individually. Somewhere in the neighborhood of 10, I think - I've
lost track. This works out rather well, actually. Yeah, I can't get a single
report of EVERYTHING going on in my network, but the ability to pinpoint what is
flowing across a particular link is quite usefull. I wouldn't have that sort of
granularity with a single big implementation. Plus it's worked out well for the
budget as each box doesn't have to be particularly strong - I've managed to
scrounge most of them from other people's cast-offs.
$.02
Chris From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burton Strauss Sent: Thursday, December 29, 2005 1:47 PM To: ntop@Unipi.IT Subject: RE: [Ntop] Packet Capture Read the article in docs/FAQ on switched networks.
Also read up on the -m | --local-hosts switch. But off-hand, sounds like
you need either to invest in a better switch or re-think your
layout.
-----Burton
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colombo Alessandro Sent: Thursday, December 29, 2005 10:20 AM To: Ntop@Unipi.IT Subject: [Ntop] Packet Capture Hello, I’m having problems capturing
packets with my Linux box. The LB runs Fedora Core 4 and it’s
connected to the main switch with a network card. It has another network card
used to capture packets. The switch permits to configure port
mirrors, but one per time: I mean, I can set a port to be mirrored to another,
but not 10 ports to be mirrored to the same port. I’m capturing traffic, but it seems
all the traffic is generated by the LB except some Rarp
packets. Moreover, some traffic isn’t
detected at all (ex. MSN). Any
advice? Thank
you. Alessandro
|
_______________________________________________ Ntop mailing list Ntop@unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop