[Coral-dev] \Re help data collection

yordanos@cs.ucr.edu yordanos at cs.ucr.edu
Fri Jan 26 18:19:22 PST 2007 

Hi all,

I have recently started using coralReef and want to get some advice on
hardware requirement of our traffic collection project.

So far we have been using coralreef with 1GB standard Ethernet interface
to capture inbound traffic from PC's connected to a switch. We used port
mirroring to copy all the traffic to one port.

In the future we want to capture outbound traffic from our department that
reaches up to 10 GB. All the traffic is aggregated at a Cisco catalyst
6509. It has four 10 GB ethernet modules and one of the ports is free so
we can use it to copy traffic from other ports for our purpose. I want to
know if there is any hardware that would enable us to capture this amount
of traffic.

Besides, I want to share my observation when I used crl_to-pcap with -l4
option. I was expecting all the payload to be removed but I do see unknown
protocols with some data. I didn't use -k option. When I added a filter to
capture tcp/udp/icmp packets only, the unknown pkts removed so I have
clean trace without payload.

I appreciate your help in advance.

Best,
Yordanos G.
PhD student @ Computer Sci Dept,
Univ of California, Riverside

> Hi Yordanos,
>
> The crl_to_pcap manpage (online version at:
> http://www.caida.org/tools/measurement/coralreef/doc/doc/applications.html#crl_to_pcap
> )
> describes the -l and -k options, which could be used for
> what you want.
>
> crl_to_pcap -l4  will strip anything above protocol layer 4, so will
> keep TCP/UDP/ICMP-headers, but remove payload in these packets.
>
> I hope that answers your question.
>
> best regards,
> Emile Aben
> Data Administrator
> CAIDA/SDSC/UCSD
>
> On Wed, Jan 24, 2007 at 11:16:56AM -0800, Hyunchul Kim wrote:
>>
>>    emile,
>>    you know answer to the question below ?
>>    she works with Dhiman at ucr.
>>    thanks a lot.
>>     - hyunchul
>>    ---------- Forwarded message ----------
>>    From: [1]yordanos at cs.ucr.edu <[2]yordanos at cs.ucr.edu>
>>    Date: 2007. 1. 24 ¿ÀÀü 7:16
>>    Subject: help data collection
>>    To: [3]hkim at caida.org
>>    Hi Hyunchul,
>>    Please assist me:
>>    I am trying to capture network traffic without payload using
>>    crl_to_pcap.
>>    I used snaplen of 68 and 48 (-Cm=first=48) but in both cases I am
>>    capturing few bytes of payload for UDP protocol.
>>    I was able to observe this in my trace using crl_print_pkt.
>>    If I only capture the first 42 bytes, i managed to stripe all udp
>>    payload
>>    but i am truncating necessary protocol information in case of tcp.
>>    So please let me know if there is a possibility to stripe any payload
>>    without losing necessary protocol information? Due to privacy issues,
>>    we
>>    are not allowed to capture any payload in out traffic.
>>    I appreciate your immediate help.
>>    Best,
>>    Yordanos G.
>>    --
>>    "We are What We Do" - Aristotle
>>
>> References
>>
>>    1. mailto:yordanos at cs.ucr.edu
>>    2. mailto:yordanos at cs.ucr.edu
>>    3. mailto:hkim at caida.org
>

More information about the Coral-dev mailing list