Re: Heads Up.

Justin W. Newton (justin@priori.net)
Mon, 21 Jul 1997 22:07:42 -0700

At 12:52 AM 7/22/97 -0400, Jon Lewis wrote:
>On Mon, 21 Jul 1997, Robert Hiltibidal wrote:
>
>> Just curious... why would you want to do that? Chances are you won't be
>> running the sniffer 100% of the time... Why not put the code on all your
>
>Actually, the idea would be to run it all the time and delete the logs
>when they hit a certain age. There are some very specialized sniffers
>that only log the first n bytes of TCP connections to certain ports.
>These can be used 24/7 in a typical ISP without need for multi-GB raid
>arrays for storage. This way, if you are the target of some hacker
>activity, you would have pretty good log data to A) help track them down,
>B) hand to the FBI.

There are some scaling issues involved here, as well as problems when you
start running switched networks. Back in my Erol's days...

My routers certainly couldn't handle logging the several hundred M/second
passing through their interfaces, and the LANs were all switched, making
sniffing there nearly impossible. This doesn't mean that we were
weaponless against hackers, just that we limited the scope of where we were
looking for what (as well as where people could do what).

(I still want to get together some time with all you Bay Area folks out
there if anyone is interested, mail me and I'll try and coordinate).

**************************************************************
Justin W. Newton voice: +1-415-482-2840
Senior Network Architect fax: +1-415-482-2844
PRIORI NETWORKS, INC. http://www.priori.net
Legislative and Policy Director, ISP/C http://www.ispc.org
"The People You Know. The People You Trust."
**************************************************************