Solved

Suitability of long term (ie: 24 hours) packet capturing on a production server

Posted on 2004-10-13
5
228 Views
Last Modified: 2010-04-10
Hi All,
Is it practical to leave Ethereal installed on a server capturing for an extended period (24Hrs+, I have around 200GB Available)?
What kind of performance hit would be expected for a dual xeon machine with SCSI drives and a gigabit network card?

Thanks in advance
0
Comment
Question by:jasef
5 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 150 total points
Comment Utility
I've run Ethereal on a Honeypot machine for 5 days continuously in order to catch an instance of Nachi running on a rather large network.

I would recommend you apply Filters at point of capture, rather than on the captured data. This will reduce the total capture log size and reduce time to sort / search / further filter results.

I can't comment on the performance hit really, we didn't notice any significant problems with the machine following the capture, but then it was *only* running packet sniffing (and getting itself infected by Nachi).
0
 
LVL 3

Author Comment

by:jasef
Comment Utility
Thanks Chris, your input is much appreciated. The filtering is the purpose of my IP Ports question submitted not long after this one :)

Has anyone tried this on a server performing login authentication and/or file sharing?
I suspect if capturing is only say 10% of the traffic, it won't have a huge impact but it'd be nice to hear from someone who's tried it.
0
 
LVL 3

Assisted Solution

by:_Jochen_
_Jochen_ earned 100 total points
Comment Utility
hi,
i think 10% is a good value. I´ve always used etheral on our Servers and we never have had problem which caused on etheral. Normally it´s no problem to do this.
jo
0
 
LVL 15

Assisted Solution

by:Frabble
Frabble earned 250 total points
Comment Utility
It should be OK, but after reading your other posts I would suggest you capture on another machine. On the Cisco switches you can set up a monitoring session, miroring both transmit and receive traffic of mulitple ports to another, which has the data capture machine.

Set up Ethereal to limit the captured packet size, enter a file name and use multiple files. You can then have new files created based on size or time. For example limit to 30 minutes and enable a ring buffer based on the amount of disk space you have. Setting it to 12 would give you captures for the last 6 hours. If the files are too big then configure based on file size.
You can leave this running until the problem occurs, stop and then look at the relevant capture file. Ethereal will then let you filter, display specific conversations, graph network usage etc. to help you isolate the problem.
0
 
LVL 3

Author Comment

by:jasef
Comment Utility
Thanks everyone.  I really appreciate your assistance with these queries.  Special thanks to Frabble... an excellent suggestion I hadn't though of!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now