Next
Previous
Contents
A CoralReef monitor is just a PC computer with one or more network cards
that can listen to a network connection.
The CoralReef software can run on Linux, FreeBSD, Solaris, or any other
POSIX or unix-like operating system.
The exect hardware specicifications will depend on
the bandwidth of traffic you plan to monitor,
how you plan to process the traffic,
and other details of your situation,
but some factors to consider are:
- compatability with your chosen monitoring interface (see below)
- bus bandwidth capable of delivering the volume of data you plan
to capture to the CPU
- a separate network interface for remote management and getting
data off the monitor
- CPUs fast enough to process and/or write the data to disk
- a hard drive fast enough and with enough space to write the resulting data
For reference, CAIDA routinely performs packet header capture of 10
GigE traffic at a major internet exchange with a pair of DAG 6.2SE
cards in a host with two dual-core 3.0 GHz Intel Xeon CPUs, 8 GB of
memory, in a 2U chassis.
This is specific to the link which you would
like to monitor. The cards supported by CoralReef are:
- CoralReef can read (via libpcap) any card for which the OS
presents a normal network interface.
-
DAG 3.5 and higher, by
Endace,
- ATM, POS, and Ethernet, on FreeBSD and Linux
- "Legacy" DAG cards by the
WAND
group at the University of Waikato
- ATM and POS, on Linux
- ForeRunner 200E, by Marconi (formerly Fore)
- multi-mode OC3 ATM on FreeBSD.
These cards are no longer produced.
- POINT, by Applied
Telecom - single-mode OC3 and OC12 ATM on FreeBSD.
Apptel was acquired by Conexant and
renamed
Mindspeed, and has discontinued production
of the POINT products.
Monitoring real traffic on point-to-point links requires diverting a
copy of the traffic to the monitor interface. Several options exist:
- port mirroring
Many switches and routers have the option to copy network packets
seen on one or more ports to another port,
to which the monitoring device can be attached.
Some implementations support filtering, which may decrease
the load on your monitoring hardware
if you want to monitor only a fraction of the traffic.
Mirroring multiple ports onto one output port may be possible,
if the combined output bandwidth is not too high.
Mirror ports can usually be configured with zero network disruption,
but do place additional load on the switch.
Also known as SPAN (Switched Port Analyzer),
RAP (Roving Analysis Port),
or VACL (VLAN Access Control Lists).
- active network tap
An active network tap is a special device inserted in the path and
operating at the data link layer that forwards traffic through it
but also copies data to a third port to which a monitoring device
can be attached. Some taps support filtering, which may decrease
the load on your monitoring hardware
if you want to monitor only a fraction of the traffic.
Installation of a network tap requires disrupting the network,
but once installed, a tap does not place any additional load on
the network.
If you wish to monitor both directions of a link, you may need
two monitoring interfaces if the tap can not combine them into
one output or if the bandwidth of the combined output would be
too high.
- passive optical splitter
An optical splitter is a device inserted in the fiber optic path
that allows some of the light to pass through normally
but also diverts some fraction of the light out a third port to
which a monitoring device can be attached.
Optical splitters operate by simple physical means and do not
require power.
Installation of a splitter requires disrupting the network,
but once installed, a splitter does not place any additional load on
the network.
Because optical fibers each carry only one direction of traffic,
you will need two splitters and two monitoring interfaces if
you wish to monitor both directions of a link.
A CoralReef monitor is just a PC compatible machine. Because we
purchase equipment from many vendors, we cannot recommend any one in
particular.
Next
Previous
Contents