2. Hardware Questions
2.1 What are the CoralReef machine specs?
A CoralReef monitor is just a PC computer with one or more network cards that can listen to a network connection. The CoralReef software can run on Linux, FreeBSD, Solaris, or any other POSIX or unix-like operating system. The exect hardware specicifications will depend on the bandwidth of traffic you plan to monitor, how you plan to process the traffic, and other details of your situation, but some factors to consider are:
- compatability with your chosen monitoring interface (see below)
- bus bandwidth capable of delivering the volume of data you plan to capture to the CPU
- a separate network interface for remote management and getting data off the monitor
- CPUs fast enough to process and/or write the data to disk
- a hard drive fast enough and with enough space to write the resulting data
For reference, CAIDA routinely performs packet header capture of 10 GigE traffic at a major internet exchange with a pair of DAG 6.2SE cards in a host with two dual-core 3.0 GHz Intel Xeon CPUs, 8 GB of memory, in a 2U chassis.
2.2 What are the specifications for the monitor card?
This is specific to the link which you would like to monitor. The cards supported by CoralReef are:
- CoralReef can read (via libpcap) any card for which the OS presents a normal network interface.
- DAG 3.5 and higher, by Endace, - ATM, POS, and Ethernet, on FreeBSD and Linux
- "Legacy" DAG cards by the WAND group at the University of Waikato - ATM and POS, on Linux
- ForeRunner 200E, by Marconi (formerly Fore) - multi-mode OC3 ATM on FreeBSD. These cards are no longer produced.
- POINT, by Applied Telecom - single-mode OC3 and OC12 ATM on FreeBSD. Apptel was acquired by Conexant and renamed Mindspeed, and has discontinued production of the POINT products.
2.3 How do I tap a network link?
Monitoring real traffic on point-to-point links requires diverting a copy of the traffic to the monitor interface. Several options exist:
- port mirroring
Many switches and routers have the option to copy network packets seen on one or more ports to another port, to which the monitoring device can be attached. Some implementations support filtering, which may decrease the load on your monitoring hardware if you want to monitor only a fraction of the traffic. Mirroring multiple ports onto one output port may be possible, if the combined output bandwidth is not too high. Mirror ports can usually be configured with zero network disruption, but do place additional load on the switch. Also known as SPAN (Switched Port Analyzer), RAP (Roving Analysis Port), or VACL (VLAN Access Control Lists). - active network tap
An active network tap is a special device inserted in the path and operating at the data link layer that forwards traffic through it but also copies data to a third port to which a monitoring device can be attached. Some taps support filtering, which may decrease the load on your monitoring hardware if you want to monitor only a fraction of the traffic. Installation of a network tap requires disrupting the network, but once installed, a tap does not place any additional load on the network. If you wish to monitor both directions of a link, you may need two monitoring interfaces if the tap can not combine them into one output or if the bandwidth of the combined output would be too high. - passive optical splitter
An optical splitter is a device inserted in the fiber optic path that allows some of the light to pass through normally but also diverts some fraction of the light out a third port to which a monitoring device can be attached. Optical splitters operate by simple physical means and do not require power. Installation of a splitter requires disrupting the network, but once installed, a splitter does not place any additional load on the network. Because optical fibers each carry only one direction of traffic, you will need two splitters and two monitoring interfaces if you wish to monitor both directions of a link.
2.4 Is there a vendor or system integrator you can recommend?
A CoralReef monitor is just a PC compatible machine. Because we purchase equipment from many vendors, we cannot recommend any one in particular.
Next Previous Contents