On Monday, September 17, 2001, at 05:46 PM, Benny Fischer wrote:
-In the FAQ they claim there is no IP stack .. so how can it have ip based filters to let in traffic .. or is this all done with custom software?
If they're just capturing raw ethernet, they can disassemble the packets themselves without exposing the machine to "everything-over-IP" vulnerabilities. Surprisingly good design. Still, I can't see how they can do all the analysis with "post-processing". There's just too much data on a big ISP's net. Does it write to a monstrous tape library? I'd think they'd at least want to do packet reassembly and sequencing in memory, then some filtering, for ease of analysis. That would mean in-line software, which could, of course, be brought down with just the right malformed TCP packet sequence. Unless they have much better-than-average programmers at the FBI. Of course if they're doing any filtering at that level, they'll miss steganographic TCP sequence numbers, etc. (if someone's invented that...) -Bill