best pc for a network analyzer

[bwanaaa]

of course the raspberry pi would be great- if i could ever get one. but since since its still in short supply, i am wondering what else would be good. i already have a network tap. i need something that runs wireshark. the configuration would be:

internet -> network tap -> lan switch-->lan clients and wireless access points
........................|tx....|rx..........|cat5
........................|.......|.............|
........................V......V...........V
...................... network analyzer


then i can vnc into the network analyzer from my iPad as i walk around to all the network clients to evaluate them.
so the network analyzer needs three nics - i guess there is no mini itx with such a built in config so i would need a usb-ethernet adapters (prob 2) and use the native nic on the miniitx mobo as well.

does anyone have any hardware suggestions? or perhaps a better strategy? somewhere i read about just installing winPCAP on the network analyzer as a service. Then wireshark can run on the remote device-trouble is- i don't have wireshark for the iPad.

 

[robmurphy]

This will depend on your budget.

If you want to run wireshark on the device that is capturing you will need more than an ARM based system. At least a P4. Memory is also a limiting factor. 512 MB will run out very quickly.

I have setup capture on all most of the networks I have worked on in the last few years. Use dumpcap (dumpcap comes with wireshark), not wireshark, for the capture. Capture to a disk or flash memory that is available over the net either using Samba, Widows file sharing, or plain old FTP. You can then open the files in wireshark on a normal dektop/laptop PC.

I would suggest you set the capture to use a ring buffer. You can use this to tell dumpcap how many files to keep and what file size to use. Keep the file size around 5MB to 20MB. Do not use massive files, e.g. 200MB as if they load in wireshark they will need loads of memory, and will take an age if you want to apply a filter.

If this is a system that will run in background you will need to set it to clean up any existing files when it starts up (usually at reboot). You can save the files to a folder, and if that folder exists delete its contents before saving the existing files. If you do not do this eventually the storage used for capture gets filled up with old capture files.

For Ethernet interfaces you need 1 more than the interfaces you are going to capture from. If using Linux I would suggest avoiding Realtek Gigabit ethernet for the capture as I have had problems with them, and the would not come up reliably when the capture machine was rebooted. I would strongly recommend Intel NICs as I have had no trouble with them under linux. If you are using a windows PC then the Realtek may be OK. I have used Dlink PCI Gigabit Ethernet NICs on a machine running XP without problems. I have not used PCI-E Realtek NICs for capture on Windows.

If you look on Ebay you can often get Intel PCI-E Gigabit NICs quite cheap. Some of the HP branded NICs are Intel. Dual and Quad port cards usually mean a PCI-E x4 interface is needed. I have used the PCI-E x16 intended for the graphics on a HP machine without problems.

Rob.

 

[bwanaaa]

Rob

thank you for sharing clearly your experience. this is the knd of info I was hoping for. I dont think the ipad will be able to read the tcpdump captured by the network analyzer (since I dont know of anything like ethereal that runs on the ipad) Som I may just ssh into the network analyzer or vnc into it. regarding the ring buffer, I never would have guessed that size would be a problem. I think I'll just capture to a massive file and then segment it. Sometimes problems dont drop up until the traffic hits the fan and that can be at odd hours. For example, in event viewer I typically look at logs for a 24 hr period for that reason.

Could you elaborate on this statement you made:

"Use dumpcap (dumpcap comes with wireshark), not wireshark, for the capture. "

Stefan

 

[ScottMac]

You can get around needing two interfaces for monitoring (one for TX, One for RX) by using an aggregating tap. I have some NetOptics dual port aggregating taps, they do one gig pass-through and have two ports of output (for two separate monitors / analyzers).

The NetOptics are ~$2500 each. We recently got some new taps (I can't remember the name of the top of my head but I'll edit the post tomorrow when I'm back in the Lab) that are ~$1200 each ... single port aggregating 1 gig taps.

If you can get by with 10/100, Cisco makes a cheap switch, SLM-2008, with a web front end that does port mirroring (not as good as a tap, but only costs ~$100 from CDW).

For a PC, check out a "Fit PC" We have a bunch of the middle version (Fit-PC 2i) working as monitors and probes, some running a Wireshark-like protocol analyzer (one is running WireShark with no issues on a moderately loaded GigE line).

Fit-PC is an Atom-based (up to 2GHz) sub-micro, industrial grade PC, orderable with one or two GIgE interfaces, four-six USB ports, with or without Rs232, with 802.11b/g wireless, up to 2G of RAM, with or without a hard drive (takes a standard notebook 2.5" drive, spinning or SSD.

The cool part is that it's ~4" x 3.5" by i1" (about like two packs of cigarettes side by side) and runs on a single source 12VDC external supply (i.e., easy to adapt to battery power). Video output is via HDMI style connector (can feed an HDMI screen) or used with an HDMI to either a VGA dongle or DVI dongle. VGA is NOT recommended, it's 640x480 and FOUR BIT COLOR ... HDMI is beautiful, DVI seems to work pretty well too.

www.fit-pc.com - http://www.fit-pc.com/web/

They also have a dual-core AMD version with faster processors and more RAM available (the Fit-PC III)

They run Microsoft XP through Win7 (note, the graphics processor is integrated Intel GA500 ... not a gaming box). It also has Windows or Linux available as a pre-load, or drivers are available for Windows or Linux of all stripes.

I use a dozen of these in the Lab, they're wonderful (with the right accessories, work as a car system too). Most of mine are running SSD, but a couple run 200G drives (because I had 'em around unused).

 

[robmurphy]

When you download wireshark you will get dumpcap as well. This is true for linux and windows.

I would stick to the ring buffer. You will not miss any traffic because you are using a ring buffer. For one of my captures I use 500 5MB files. That's alot of capture. Dumpcap will put the date and time the file was started in the file name. Spending time spliting up a capture file will make and investigation much slower.

You can use tshark and dumpcap to apply a filter to the capture files. In this way you can use a shell script or batch file to filter all the capture for packets to, from, or either for a particular IP. Filtering like this can be done without a very powerful machine.

What uses up the memory and CPU in wireshark is keeping track of all the TCP and UDP sessions. Its the same with large capture files. Each time you apply a filter wireshark uses more memory, and it does not release this memory back to the OS even when you clear the filter.

For the capture you only need one interface for both TX and RX. In my case the capture I have taken is from a Cisco catalyst with a monitor session. The monitor session can be set to monitor multiple VLANs and interfaces. You will need an ethernet interface for each switch/router you are capturing from. My experience of IOS is limited but there are several regular posters on this forum who know IOS very well so if you need help with that ask.

Rob.

 

[bwanaaa]

tnx fellas for the feedback.

I decided on an hp procurve (<$250) as network tap. It allows aggregation of ports and can have multiple mappings. Quite a lot can be done w 24 ethernet jacks!

As for a pc, the fit is cute but I wonder about the atom's ability to prevent my frustration as files get big. I looked at intel's DQ77 mobo- 2 intel nics! One can be assigned to the wireshark capture and the other is for the net interface. With a quad core i7 (3450s) I am looking at a real low power unit. Low power ram (crucial 1.35v) and an mSATA on board. Not too much more than a fit atom.

I'll let you know how it goes.

 

[soholingo]

robmurphy,

Really good stuff Man! I am going to try some of what you said when I get a moment. Its brilliant and I love it!

jay