Suitability of long term (ie: 24 hours) packet capturing on a production server

Hi All,
Is it practical to leave Ethereal installed on a server capturing for an extended period (24Hrs+, I have around 200GB Available)?
What kind of performance hit would be expected for a dual xeon machine with SCSI drives and a gigabit network card?

Thanks in advance
LVL 3
jasefAsked:
Who is Participating?
 
Chris DentConnect With a Mentor PowerShell DeveloperCommented:
I've run Ethereal on a Honeypot machine for 5 days continuously in order to catch an instance of Nachi running on a rather large network.

I would recommend you apply Filters at point of capture, rather than on the captured data. This will reduce the total capture log size and reduce time to sort / search / further filter results.

I can't comment on the performance hit really, we didn't notice any significant problems with the machine following the capture, but then it was *only* running packet sniffing (and getting itself infected by Nachi).
0
 
jasefAuthor Commented:
Thanks Chris, your input is much appreciated. The filtering is the purpose of my IP Ports question submitted not long after this one :)

Has anyone tried this on a server performing login authentication and/or file sharing?
I suspect if capturing is only say 10% of the traffic, it won't have a huge impact but it'd be nice to hear from someone who's tried it.
0
 
_Jochen_Connect With a Mentor Commented:
hi,
i think 10% is a good value. I´ve always used etheral on our Servers and we never have had problem which caused on etheral. Normally it´s no problem to do this.
jo
0
 
FrabbleConnect With a Mentor Commented:
It should be OK, but after reading your other posts I would suggest you capture on another machine. On the Cisco switches you can set up a monitoring session, miroring both transmit and receive traffic of mulitple ports to another, which has the data capture machine.

Set up Ethereal to limit the captured packet size, enter a file name and use multiple files. You can then have new files created based on size or time. For example limit to 30 minutes and enable a ring buffer based on the amount of disk space you have. Setting it to 12 would give you captures for the last 6 hours. If the files are too big then configure based on file size.
You can leave this running until the problem occurs, stop and then look at the relevant capture file. Ethereal will then let you filter, display specific conversations, graph network usage etc. to help you isolate the problem.
0
 
jasefAuthor Commented:
Thanks everyone.  I really appreciate your assistance with these queries.  Special thanks to Frabble... an excellent suggestion I hadn't though of!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.