Hey, On Thu, 31 Jul 2008 16:00:36 +0100 Leon Ward <seclists@rm-rf.co.uk> wrote:
On 31 Jul 2008, at 14:16, Juuso Lehtinen wrote:
Second that.
Using hub to tap into a single link is also risky. I used to monitor single FE link with 100M hub. After link had moderate utilization
20%, collision led was lit all the time.
I've had good experience with VSS Monitoring Ethernet Aggregator taps. Also Catalyst 2960 SPAN seems to work OK.
As for capture PC, we've been using regular PC with Wireshark. That's good for single FE link, but has problem with GE and multiple links.
If you need to increase the speed of your capture tool, maybe this [1] link may be of use. It is an implementation of a libpcap that implements a shared memory ring buffer which can result in some capture performance gains.
Better off - http://www.ntop.org/PF_RING.html I've seen tenfold decrease in CPU usage using PF_RING.
-Leon
[ cut ] -- Best regards, Nickola Kolev