I want to be able to "on the fly" remotely capture data.
I want to have 24 TAPS where they are connected to a custom PC that has 8*3 NIC PCI express cards. The Motherboard NIC would be the RDP connection.
When an issue happens I can RDP and start a capture on one or more of the 24 interfaces that I choose.
asked 17 Oct '11, 16:56
I guess if the OS can handle 24 NICs I don't see why Wireshark couldn't, but maybe there are additional technical reasons I am not aware of (maybe some enumeration issue).
I don't think lots of RAM is the most important thing (while it helps of course), the most important thing is a really really fast (and large) disk storage array. Unless you have data rates that do not require those of course. As soon as you're talking Gigabit you should plan for really fast storage.
And yes, for captures to make sense you need promiscuous mode on any card you want to capture on; otherwise it will only accept frames for it's own MAC (plus broadcast/multicast).
answered 17 Oct '11, 23:47
24 taps almost feels like a wrong approach to the problem there's probably a better way to do it maybe 24 port switch with a mirror port ?
I also think you'll have problems with interrupts handling if you plug 24 NICs into a singe PC. And if you are talking about gigabit speeds you'd see huge packet loss.
If I was doing the setup like your's I'd buy 6 fairly cheap PCS with relatively small disks. I'd Install linux on them. Then install and setup gulp http://staff.washington.edu/corey/gulp/ to capture traffic without loss and escape the limitation of the disk.
Then on periodic basis I'd upload traces to 7th PC(windows maybe) with terrabyte storage for investigation.
answered 26 Oct '11, 02:19