I'll pipe up.
I've had customers ask for this feature before and I have spent a good
amount of time working on possible solutions. For multi-gigabit
networks the problem is building a cost effective solution. You can
absolutely build a product (or a feature in a product) that can do
this. You require a heck of a lot of memory, a heck of a lot of
fiber-channel disk and some good caching and search algorithms. I
remember going out and getting the latest packet sniffer some time ago.
It was the latest 10 Gigabit Ethernet Sniffer that captured less then
1500 megabytes of data. Oh and it cost $150,000 (US dollars). Now the
device had storage of a lot more then that but it had something like a
gigabit of memory as a buffer and could not stream the data fast enough
to disk. The result was that portions of the traffic were missing in
the capture - which was REALLY frustrating. I don't think packet
sniffer technology has improved much - at least not past the gigabit
realm in some time.
The "spin off" of Sniffer (Network General) may move this in the right
direction for those looking for packet sniffers that can capture at
high speeds. If anybody does make a product that can handle capturing
an hour's worth of 10 gigabit ethernet traffic let me know I have a
purchase order ready to fax to you.
As for the feature name "psychic packet capture" - I dig it :)
Dennis Cox
Director of Engineering, TippingPoint Technologies
w 512.681.8328
On Jan 5, 2005, at 9:24 AM, Thomas Ptacek wrote:
Regarding "psychic packet capture" (an aptly named feature):
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
