[unisog] Remote sniffers- what do you use?

Ryan Dorman Ryan.Dorman at millersville.edu
Thu Mar 9 16:42:22 GMT 2006

Network Instruments Observer is in use here and has a very good remote probe
setup.  Certainly not free, however.
Ryan Dorman, CCNP
Network Engineering Specialist
Millersville University

On 3/9/06 11:30 AM, "Peter Van Epp" <vanepp at sfu.ca> wrote:

> <snip>
>> You can easily load just about every open-source network analysis tool
>> (snort, argus, tcpdump, ethereal, ntop, etc) onto a 1-U FreeBSD box
>> (FreeBSD beating Linux in most any networking benchmark -- Linux+pfRing
>> included).
> The the risk of starting a religious war, I don't think this is correct
> :-). Four or five years ago I made this argument to our HPC folks when they
> were building a 192 node Beowolf cluster so we ran benchmarks (iperf, netperf
> etc.) on my argus test boxes and found while FreeBSD did better on CPU usage
> either OS could fill the pipe and as a result they decided to go Linux to be
> like most of the rest of the Beowolf world.
> I can testify from personal experience that a year or so ago the
> same box running argus on a gig link doing 995 megs lost around %50 of the
> packets on FreeBSD when Linux with pfRing (and a meg or so of buffer space in
> the kernel which makes the comparison somewhat unfair :-)) was able to keep up
> with traffic. 
> There is also some interesting new tcp code from Van Jacobson (not yet
> releasable last I heard) for Linux that he says cuts %80 of the CPU usage
> (although it is probably applicable to FreeBSD too if someone ports it).
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list