hal@slovax.WA.COM (hal) (10/14/89)
I've got a problem I haven't seen discussed, and its beyond my experience. Maybe someone out there has some ideas? My task is to "collect" for processing/analysis almost all traffic on a LAN. The target LAN is ThinLan, HP9000/330s running hp-ux (SYSV Unix). There will be nearly 2 dozen target machines. I do not have the ability (so says the statement of work) to touch those machines, e.g. no added daemons to duplicate transmissions for later collection by tape, etc. I also cannot put my collection machine into the LAN in any way that will affect LAN traffic, i.e. I cannot ACK, no bandwidth "wasted" to me. I'll have to deal with such issues as duplication, acks, naks, collisions, etc. This has to run for periods of about a week at a time, 24 hour days. I realize that this could take up more disk space than I have, let alone can spare, but, ... I'm interested in ideas, product suggestions, etc., so don't be afraid to get "commercial". My thoughts are to: 1- put a "box" on the LAN, in "promiscuous" mode, that will grab every frame (perhaps with a little filtering, depending on where the requirements eventually lead), and put it out on a second LAN (gateway to me) to a collection machine that can do whatever. 2- put that "box" on the LAN, and have it relay to me via high-speed serial link (I have one that will do 128Kbps fairly reliably -- this is the Army, so they have money to throw at that sort of item, although typically not when I need it thrown!). This of course, will run out of buffer space eventually, no matter how big the "box"'es buffers. 3- put a "new" collection computer on the LAN that handles the "promiscuous" mode, plus does the collection-oriented stuff, such as separating packets by connection so I don't get them too jumbled. I haven't the foggiest idea where to find such a beast. 4- find a LAN analyzer that may be able to handle some of this, with, say a large buffer (disk?) that can somehow, without losing further traffic, dump itself to another machine. 5- punt. Anyone? Hal Miller R&D Associates, Inc. Fort Lewis, Washington (206) 967-8018 hal@slovax.wa.com