This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

custom hardware

0

Hi

I want to be able to "on the fly" remotely capture data.

I want to have 24 TAPS where they are connected to a custom PC that has 8*3 NIC PCI express cards. The Motherboard NIC would be the RDP connection.

When an issue happens I can RDP and start a capture on one or more of the 24 interfaces that I choose.

  1. Will Wireshark handle 24 interfaces.
  2. Other than a powerful 64bit lots a RAM computer, anything special?
  3. Those 8*3 PCI NICS, do they have to specifically be able to run in premiscious mode?

Thanks s

asked 17 Oct '11, 16:56

goldbank's gravatar image

goldbank
1111
accept rate: 0%


2 Answers:

1

I guess if the OS can handle 24 NICs I don't see why Wireshark couldn't, but maybe there are additional technical reasons I am not aware of (maybe some enumeration issue).

I don't think lots of RAM is the most important thing (while it helps of course), the most important thing is a really really fast (and large) disk storage array. Unless you have data rates that do not require those of course. As soon as you're talking Gigabit you should plan for really fast storage.

And yes, for captures to make sense you need promiscuous mode on any card you want to capture on; otherwise it will only accept frames for it's own MAC (plus broadcast/multicast).

answered 17 Oct '11, 23:47

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

0

24 taps almost feels like a wrong approach to the problem there's probably a better way to do it maybe 24 port switch with a mirror port ?

I also think you'll have problems with interrupts handling if you plug 24 NICs into a singe PC. And if you are talking about gigabit speeds you'd see huge packet loss.

If I was doing the setup like your's I'd buy 6 fairly cheap PCS with relatively small disks. I'd Install linux on them. Then install and setup gulp http://staff.washington.edu/corey/gulp/ to capture traffic without loss and escape the limitation of the disk.

Then on periodic basis I'd upload traces to 7th PC(windows maybe) with terrabyte storage for investigation.

answered 26 Oct '11, 02:19

izopizo's gravatar image

izopizo
2024714
accept rate: 0%