The CoralReef software is known to work on Linux, FreeBSD, Solaris, and MacOS, and is expected to work on other POSIX and unix-like systems.
Network InterfacesCoralReef can be used to read network traffic from a number of different sources.
- Standard network interfaces
- CoralReef can read from live pcap interfaces, so it is possible to use CoralReef to monitor any network interface that can be read by tcpdump/libpcap.
- Endace DAG high speed packet capture cards
- CoralReef can read network traffic from DAG cards produced by Endace, as well as legacy DAG cards formerly produced by WAND. The supported DAG card interfaces currently include 10/100/1000 Ethernet, 10 GigE, SONET (OC-3c, OC-12c, OC-48c, OC-192c), and SDH (STM-1c, STM-4c, STM-16c, STM-64). CoralReef works with DAG on any platform supported by both (currently, FreeBSD and Linux). For reference, CAIDA routinely performs packet header capture of 10 GigE traffic at a major Internet exchange with a pair of DAG 6.2SE cards in a host with two dual-core 3.0 GHz Intel Xeon CPUs, 8 GB of memory, in a 2U chassis.
- Applied Telecom OC3 and OC12 POINT ATM adapters (out of production)
- With its custom POINT driver on FreeBSD, CoralReef can read ATM traffic from OC3 and OC12 POINT ATM adapters produced by Applied Telecom. However, these adapters are no longer produced.
- Marconi ForeRunner OC3 ATM adapter (out of production)
- With its custom FATM driver on FreeBSD, CoralReef can read ATM traffic from ForeRunner 200E OC3 ATM adapters produced by Marconi. However, these adapters are no longer produced.
Network TapsMonitoring real traffic on point-to-point links requires diverting a copy of the traffic to the monitor interface. Several options exist:
- port mirroring
- Many switches and routers have the option to copy network packets seen on one or more ports to another port, to which the monitoring device can be attached. Some implementations support filtering, which may decrease the load on your monitoring hardware if you want to monitor only a fraction of the traffic. Mirroring multiple ports onto one output port may be possible, if the combined output bandwidth is not too high. Mirror ports can usually be configured with zero network disruption, but do place additional load on the switch. Also known as SPAN (Switched Port Analyzer), RAP (Roving Analysis Port), or VACL (VLAN Access Control Lists).
- active network tap
- An active network tap is a special device inserted in the path and operating at the data link layer that forwards traffic through it but also copies data to a third port to which a monitoring device can be attached. Some taps support filtering, which may decrease the load on your monitoring hardware if you want to monitor only a fraction of the traffic. Installation of a network tap requires disrupting the network, but once installed, a tap does not place any additional load on the network. If you wish to monitor both directions of a link, you may need two monitoring interfaces if the tap can not combine them into one output or if the bandwidth of the combined output would be too high.
- passive optical splitter
- An optical splitter is a device inserted in the fiber optic path that allows some of the light to pass through normally but also diverts some fraction of the light out a third port to which a monitoring device can be attached. Optical splitters operate by simple physical means and do not require power. Installation of a splitter requires disrupting the network, but once installed, a splitter does not place any additional load on the network. Because optical fibers each carry only one direction of traffic, you will need two splitters and two monitoring interfaces if you wish to monitor both directions of a link.