• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 236
  • Last Modified:

Suitability of long term (ie: 24 hours) packet capturing on a production server

Hi All,
Is it practical to leave Ethereal installed on a server capturing for an extended period (24Hrs+, I have around 200GB Available)?
What kind of performance hit would be expected for a dual xeon machine with SCSI drives and a gigabit network card?

Thanks in advance
0
jasef
Asked:
jasef
3 Solutions
 
Chris DentPowerShell DeveloperCommented:
I've run Ethereal on a Honeypot machine for 5 days continuously in order to catch an instance of Nachi running on a rather large network.

I would recommend you apply Filters at point of capture, rather than on the captured data. This will reduce the total capture log size and reduce time to sort / search / further filter results.

I can't comment on the performance hit really, we didn't notice any significant problems with the machine following the capture, but then it was *only* running packet sniffing (and getting itself infected by Nachi).
0
 
jasefAuthor Commented:
Thanks Chris, your input is much appreciated. The filtering is the purpose of my IP Ports question submitted not long after this one :)

Has anyone tried this on a server performing login authentication and/or file sharing?
I suspect if capturing is only say 10% of the traffic, it won't have a huge impact but it'd be nice to hear from someone who's tried it.
0
 
_Jochen_Commented:
hi,
i think 10% is a good value. I´ve always used etheral on our Servers and we never have had problem which caused on etheral. Normally it´s no problem to do this.
jo
0
 
FrabbleCommented:
It should be OK, but after reading your other posts I would suggest you capture on another machine. On the Cisco switches you can set up a monitoring session, miroring both transmit and receive traffic of mulitple ports to another, which has the data capture machine.

Set up Ethereal to limit the captured packet size, enter a file name and use multiple files. You can then have new files created based on size or time. For example limit to 30 minutes and enable a ring buffer based on the amount of disk space you have. Setting it to 12 would give you captures for the last 6 hours. If the files are too big then configure based on file size.
You can leave this running until the problem occurs, stop and then look at the relevant capture file. Ethereal will then let you filter, display specific conversations, graph network usage etc. to help you isolate the problem.
0
 
jasefAuthor Commented:
Thanks everyone.  I really appreciate your assistance with these queries.  Special thanks to Frabble... an excellent suggestion I hadn't though of!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now