[Coral-dev] \Re help data collection

Tue Jan 30 10:53:18 PST 2007

Endace (http://www.endace.com/) makes several cards capable of
monitoring 10 GB ethernet.  At CAIDA we use the DAG 6.2SE card.
CoralReef can read directly from the DAG device, or from a file
written by dagsnap (the capture app that comes with the DAG software).
If CoralReef's crl_to_pcap with the desired options does not perform
well enough on a live DAG device, you can capture with dagsnap and
then run crl_to_pcap on the file to strip extra payload.

On Fri, Jan 26, 2007 at 06:19:22PM -0800, yordanos at cs.ucr.edu wrote:
> Hi all,
> 
> I have recently started using coralReef and want to get some advice on
> hardware requirement of our traffic collection project.
> 
> So far we have been using coralreef with 1GB standard Ethernet interface
> to capture inbound traffic from PC's connected to a switch. We used port
> mirroring to copy all the traffic to one port.
> 
> In the future we want to capture outbound traffic from our department that
> reaches up to 10 GB. All the traffic is aggregated at a Cisco catalyst
> 6509. It has four 10 GB ethernet modules and one of the ports is free so
> we can use it to copy traffic from other ports for our purpose. I want to
> know if there is any hardware that would enable us to capture this amount
> of traffic.
> 
> Besides, I want to share my observation when I used crl_to-pcap with -l4
> option. I was expecting all the payload to be removed but I do see unknown
> protocols with some data. I didn't use -k option. When I added a filter to
> capture tcp/udp/icmp packets only, the unknown pkts removed so I have
> clean trace without payload.
> 
> I appreciate your help in advance.
> 
> Best,
> Yordanos G.
> PhD student @ Computer Sci Dept,
> Univ of California, Riverside
> 
> > Hi Yordanos,
> >
> > The crl_to_pcap manpage (online version at:
> > http://www.caida.org/tools/measurement/coralreef/doc/doc/applications.html#crl_to_pcap
> > )
> > describes the -l and -k options, which could be used for
> > what you want.
> >
> > crl_to_pcap -l4  will strip anything above protocol layer 4, so will
> > keep TCP/UDP/ICMP-headers, but remove payload in these packets.
> >
> > I hope that answers your question.
> >
> > best regards,
> > Emile Aben
> > Data Administrator
> > CAIDA/SDSC/UCSD
> >
> > On Wed, Jan 24, 2007 at 11:16:56AM -0800, Hyunchul Kim wrote:
> >>
> >>    emile,
> >>    you know answer to the question below ?
> >>    she works with Dhiman at ucr.
> >>    thanks a lot.
> >>     - hyunchul
> >>    ---------- Forwarded message ----------
> >>    From: [1]yordanos at cs.ucr.edu <[2]yordanos at cs.ucr.edu>
> >>    Date: 2007. 1. 24 ???? 7:16
> >>    Subject: help data collection
> >>    To: [3]hkim at caida.org
> >>    Hi Hyunchul,
> >>    Please assist me:
> >>    I am trying to capture network traffic without payload using
> >>    crl_to_pcap.
> >>    I used snaplen of 68 and 48 (-Cm=first=48) but in both cases I am
> >>    capturing few bytes of payload for UDP protocol.
> >>    I was able to observe this in my trace using crl_print_pkt.
> >>    If I only capture the first 42 bytes, i managed to stripe all udp
> >>    payload
> >>    but i am truncating necessary protocol information in case of tcp.
> >>    So please let me know if there is a possibility to stripe any payload
> >>    without losing necessary protocol information? Due to privacy issues,
> >>    we
> >>    are not allowed to capture any payload in out traffic.
> >>    I appreciate your immediate help.
> >>    Best,
> >>    Yordanos G.
> >>    --
> >>    "We are What We Do" - Aristotle
> >>
> >> References
> >>
> >>    1. mailto:yordanos at cs.ucr.edu
> >>    2. mailto:yordanos at cs.ucr.edu
> >>    3. mailto:hkim at caida.org
> >
> 
> 
> 
> _______________________________________________
> Coral-dev mailing list
> Coral-dev at caida.org
> https://rommie.caida.org/mailman/listinfo/coral-dev

-- 
Ken Keys
kkeys at caida.org
CoralReef:  http://www.caida.org/tools/measurement/coralreef/