On Sat, Jul 24, 2010 at 4:28 PM, <Valdis.Kletnieks@vt.edu> wrote:
On Sat, 24 Jul 2010 15:40:58 EDT, Christopher Morrow said:
why wouldn't you just do the intercept before the LSN?
That gets interesting too, when several tens of thousands of users may all be behind the same LSN. Making sure you intercept only the right user's traffic gets a lot more interesting in front of the LSN. Doing it behind the LSN means you can snarf up just the traffic heading to/from one NAT'ed IP, which is hopefully changing not all that often. Doing it in front of the LSN means you need to decide whether to capture the data in real time on a per-flow basis (consider the fun involved in catching a SYN packet outbound - what's your time budget between when the miscreant's packet leaves his host and when you have to catch it on the outbound side of the LSN)...
innocent until proven guilty... plus probably a large portion of the calea things aren't for a 'miscreant' anyway but for other reasons. say, i wonder how many actual calea requests have been sent out anyway?? (I know one very large network has yet to get a single one, or so the grape vine tells me.)