-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Netoptics work great. Check out their aggregation taps.
Some 4-port fiber gig taps, including Netoptics ones, drop frames when aggregate utilization exceeds 1 Gbit/s. That can be 500 east + 501 west or 1001 west, or 251 in each of 4 ports or whatever. I'd heard about a kiddie porn case getting tossed because the defense successfully argued law enforcement's tap may have dropped frames. I didn't believe it until I measured this myself with a packet blaster. I used VSS taps in my tests. Brian Chee of the University of Hawaii tried this before me with a Netoptics tap, with similar results: Endicott-Popovsky, B.E., Chee, B. and Frincke, D. Role of Calibration as Part of Establishing Foundation for Expert Testimony, in Proceedings 3rd Annual IFIP WG 11.9 Conference January 29-31, 2007, Orlando, FL. dn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFHULwTyPxGVjntI4IRAjaZAJ0eoGVzaxXh+TIuyx8tmfOlupj+LACfcFmI jUq2/DFjHiyrJRekjTnxnic= =s8IF -----END PGP SIGNATURE-----
On Fri, 30 Nov 2007, David Newman wrote:
I'd heard about a kiddie porn case getting tossed because the defense successfully argued law enforcement's tap may have dropped frames. I didn't believe it until I measured this myself with a packet blaster.
I would like to see a citation for this case. Evidence from network taps would be very rare in a child explotation case, and extremely unusual for it to be the sole evidence in such a case. Despite the "CSI effect," the existance of perfect data is more suspicious than glitchy data in a criminal case. Sounds a bit like the story of a case being dismissed because a computer banner said "Welcome" (no such case has ever been found). If you had said it was a narcotics case, I would be less skeptical.
Endicott-Popovsky, B.E., Chee, B. and Frincke, D. Role of Calibration as Part of Establishing Foundation for Expert Testimony, in Proceedings 3rd Annual IFIP WG 11.9 Conference January 29-31, 2007, Orlando, FL.
Thanks for the citation. Using an aggregation tap for a criminal investigation is not a good idea, but I guess it wouldn't surprise me if someone did. Investigators should understand the limitations of their equipment and as suggested check its calibration with known data.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/1/07 11:17 AM, Sean Donelan wrote:
On Fri, 30 Nov 2007, David Newman wrote:
I'd heard about a kiddie porn case getting tossed because the defense successfully argued law enforcement's tap may have dropped frames. I didn't believe it until I measured this myself with a packet blaster.
I would like to see a citation for this case.
Dr. Endicott-Popovsky told me about the case in a phone call earlier this year. My recollection is that she told me only the details about the tap's use in the case, and not the name of the case. You might check directly with her. I believe she's at the University of Washington.
Endicott-Popovsky, B.E., Chee, B. and Frincke, D. Role of Calibration as Part of Establishing Foundation for Expert Testimony, in Proceedings 3rd Annual IFIP WG 11.9 Conference January 29-31, 2007, Orlando, FL.
Thanks for the citation. Using an aggregation tap for a criminal investigation is not a good idea, but I guess it wouldn't surprise me if someone did. Investigators should understand the limitations of their equipment and as suggested check its calibration with known data.
Right. The only point with ops relevance is to be aware that some gigabit fiber taps capture just that -- exactly one gigabit per second, but not more. dn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFHUdP+yPxGVjntI4IRApqFAJoD0KgBAgCASzB9YO9MtAjjpFo+eQCfc9RY JhYCDJHJh4VpVc36RiPi4M4= =ToWv -----END PGP SIGNATURE-----
participants (2)
-
David Newman
-
Sean Donelan