Wireshark-users: Re: [Wireshark-users] Capture hardware

From: Kok-Yong Tan <ktan@xxxxxxxxxxxxxxxxxxx>
Date: Sat, 10 May 2008 16:32:06 -0400

On May 2, 2008, at 17:46, Guy Harris wrote:

Laurent Chouinard wrote:

So I ask: Is there any hardware product whose sole purpose is to receive an ethernet cable and record everything internally? I would leave that
device for a few days, then collect it, extract the data, and run my
analysis through Wireshark.

There are, I think, a number of companies that sell devices such as
that, e.g. Solera (found by going to the "Sharkfest '08" page from the
Wireshark home page, and looking at the list of Sharkfest sponsors):

	http://www.soleranetworks.com/products/capture-appliances.php

and NetScout, as mentioned in another reply:

	http://www.netscout.com/products/infinistream.asp

and (if I'm correctly interpreting what the devices do) Network Instruments:

	http://www.networkinstruments.com/products/gigabit/GigaStorProbe.html

and NetQoS:

	http://www.netqos.com/solutions/gigastor/index.html

and so on - see the list of vendors of "network monitoring and
management software and appliances" at

http://blog.opusinteractive.com/industry/interop-07-lots-of- opportunities/

I don't know how much those devices cost, though.



I looked at the above but aside from price, there was the issue that they're whoppers in terms of size and not something that one could conveniently lug from client to client if one is an itinerant consultant (not without awkward boxes and questions from the cops especially if one is using the New York City subway as transport, anyway). Just then, a brainwave hit (okay, maybe a larger than normal brainswell): Why not use a Mac Mini? Just the right size and price. Compact and portable. Has either an 80GB or 120GB hard drive with the possibility of attaching external storage via Firewire1.0 or USB2.0. Comes in protective packaging that resembles a childs' 1950s/ 1960s lunchbox. The new models have gigabit NICs as well as 802.11b/ g/n. Seemingly perfect for the job of pure packet capture once Wireshark is compiled and installed on them and they're set to not go to sleep on idle while Wireshark is running in capture mode. Any thoughts?

I know that Laura Chappell mentioned in Sharkfest 2008 the need for special tools for gigabit packet capture and that gigabit NICs won't work (I'm a newbie to gigabit packet capture so I'm not clear about the details since Ms. Chappell made cheetahs look like turtles during Sharkfest--can someone enlighten me as to why a single gigabit NIC will not work for full-duplex gigabit packet capture? Does it have to do with it being lossy due to the speed of the NIC overwhelming the speed of the data bus on most computers?)
--
Reality Artisans, Inc.            #   Network Wrangling and Delousing
P.O. Box 565, Gracie Station # Apple Certified Help Desk Specialist
New York, NY 10028-0019           #   Apple Consultants Network member
<http://www.realityartisans.com>  #   Apple Developer Connection member
(212) 369-4876 (Voice)            #   (212) 860-4325 (Fax)