I am going to install Wireshark and analyze traffic for a telco company. I have a scenario which I need technical advice on my hardware.
I want to capture high traffic on 100GB Network for every 10 seconds. What kind of hard disk size do I need? And how about memory. My OS will be in Ubuntu.
Nowadays, a lot of traffic is encrypted. So, a full packet capture is not very useful.
Packet slicing could be an option, if this is just for fault analysis and not for network forensics. This gives you all the metadata you need to investigate packet drop, delay etc. Of course it is not helpful, if an analysis of SSL/IPsec/other protocol handshake errors is required.
Trace Wrangler is very helpful once you end up with that big chunk of pcaps.
This is my two cents. -Two 100GB packet capture NIC cards to allow packet captures in full duplex at port speed. Two are needed to capture at port speed of each receive. The capture NIC card is engineered for capturing at port speed. Standard NIC is good for about 70% before it starts dropping packets. - Raid or similar technology of Terabytes of high-speed SSD or hard drives. You must be able to recover if 1-2 drives failed. The size will depend how much that needs to be stored. Hardware filter (before the capture buffer) and slicing will help. Ten seconds of 100G traffic is a lot of data. - Software. I am not sure which software that is best packet capture software. You can try dumpcap or tcpdump first to see if it works. Most software either save the capture files in pcap or the files can be converted to pcap format. - Post packet analysis. Wireshark is probably one of the best packet analysis software. - The last option is purchasing a packet sniffer that is designed for 100G captures at port speed.
I don't think you have a chance of doing this with commodity hardware, this line rate is is in the "serious" hardware category, an example from ntop is here. Note that 100Gbe is only available in the top spec'd device. Wireshark will be able to analyze the results, not in real-time though and working with the large capture files produced by such a line rate will be painful.
Analyzing Gigabyte files with Wireshark is painful, but a good way to learn about filters, exporting etc. I would write down your requirements. Do you need to able to save the data to disk at full port speed? Many sniffers at 10GbE and above can't save data at port speed. Backup to external storage? Cheaper than sniffer disk storage. Portable or rack-mounted? Vendor humor, it is portable because it has a handle. Something for the future, 100GbE LACP and 400GbE.
Asked: 2021-04-19 04:07:55 +0000
Seen: 1,022 times
Last updated: Apr 21 '21
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
