Ultimate sniffer box

[TechBoyJK]

It's been a while since I've been a network admin (a few years) and my idea of a sniffer box is just taking a basic box with 2 nics, bridging them, and doing a TCPDUMP and parsing the data with wireshark or something similar.

Anybody have any better ideas? Let's say you need to analyze a 'network' for performance and traffic anomalies. How would you approach it?

 

[drebo]

A Cisco Catalyst switch with a SPAN port.

However, that will monitor only the data running over that port and not do anything for "performance and traffic anomalies". For that, you need something like Cisco's IP SLA which will monitor latency, jitter, etc, over your network. For performance, you'll need SNMP to read interface load specifics.

This and your other topic sound a hell of a lot like doing your homework for you.

 

[Railgun]

Depends on what you want to do I suppose. In a huge environment, I don't necessarily need to capture the payload of everything. That being said, you bring your slice size down to 100 bytes or so, get a 10G nic, a ton of ram, and crunch away. Collecting this data isn't very CPU intensive so it doesn't need to be some octo-core box.

Between it and whatever your source, some aggregate switch to bring all that into a single NIC...or more...depending on what you're using for your sniffer to begin with.

That's the short, short version.

 

[ViviTheMage]

Snorby!

 

[ScottMac]

A Cisco Catalyst switch with a SPAN port.

However, that will monitor only the data running over that port and not do anything for "performance and traffic anomalies". For that, you need something like Cisco's IP SLA which will monitor latency, jitter, etc, over your network. For performance, you'll need SNMP to read interface load specifics.

This and your other topic sound a hell of a lot like doing your homework for you.

The Fluke OptiView is a great general net monitor, and a pretty decent Sniffer thingy too. I have two in the Lab network and love 'em.