Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Suitability of long term (ie: 24 hours) packet capturing on a production server

Posted on 2004-10-13
5
Medium Priority
?
234 Views
Last Modified: 2010-04-10
Hi All,
Is it practical to leave Ethereal installed on a server capturing for an extended period (24Hrs+, I have around 200GB Available)?
What kind of performance hit would be expected for a dual xeon machine with SCSI drives and a gigabit network card?

Thanks in advance
0
Comment
Question by:jasef
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 600 total points
ID: 12296668
I've run Ethereal on a Honeypot machine for 5 days continuously in order to catch an instance of Nachi running on a rather large network.

I would recommend you apply Filters at point of capture, rather than on the captured data. This will reduce the total capture log size and reduce time to sort / search / further filter results.

I can't comment on the performance hit really, we didn't notice any significant problems with the machine following the capture, but then it was *only* running packet sniffing (and getting itself infected by Nachi).
0
 
LVL 3

Author Comment

by:jasef
ID: 12296769
Thanks Chris, your input is much appreciated. The filtering is the purpose of my IP Ports question submitted not long after this one :)

Has anyone tried this on a server performing login authentication and/or file sharing?
I suspect if capturing is only say 10% of the traffic, it won't have a huge impact but it'd be nice to hear from someone who's tried it.
0
 
LVL 3

Assisted Solution

by:_Jochen_
_Jochen_ earned 400 total points
ID: 12296835
hi,
i think 10% is a good value. I´ve always used etheral on our Servers and we never have had problem which caused on etheral. Normally it´s no problem to do this.
jo
0
 
LVL 15

Assisted Solution

by:Frabble
Frabble earned 1000 total points
ID: 12303902
It should be OK, but after reading your other posts I would suggest you capture on another machine. On the Cisco switches you can set up a monitoring session, miroring both transmit and receive traffic of mulitple ports to another, which has the data capture machine.

Set up Ethereal to limit the captured packet size, enter a file name and use multiple files. You can then have new files created based on size or time. For example limit to 30 minutes and enable a ring buffer based on the amount of disk space you have. Setting it to 12 would give you captures for the last 6 hours. If the files are too big then configure based on file size.
You can leave this running until the problem occurs, stop and then look at the relevant capture file. Ethereal will then let you filter, display specific conversations, graph network usage etc. to help you isolate the problem.
0
 
LVL 3

Author Comment

by:jasef
ID: 12306386
Thanks everyone.  I really appreciate your assistance with these queries.  Special thanks to Frabble... an excellent suggestion I hadn't though of!
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question