Ethereal-users: Re: [Ethereal-users] [Q-OT] Size of a trace and hub functions

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: stefmit@xxxxxxxxxxxxx
Date: Fri, 9 Feb 2001 15:13:26 -0600
You see ... I am still thinking that each tool is to be used for what's 
supposed to do best - I am using snort on the DMZ and in other 
critical points, but I have a hard time believing that it would 
outperform a packet capturing program, if the latter doesn't need to 
run through rules. I may be wrong ... but I would still like to use 
ethereal for what I was initially asking ...

... and I just checked about the suggested possible limitations: it 
stops around 180 - 270,000 frames (no consistency in terms of 
number of frames), and around 100 - 150 MB size (no pattern on 
size, either), and nothing else points to any limitation other than 
just the fact that it does not "save" everything - tried to look for a 
"dump", but there is none ...

Thx for help,
Stef

On 9 Feb 2001, at 12:48, Guy Harris wrote:

> > Have you considered using snort to do this.  If you write a
> > signature for this, when it triggers it can save the traffic in a
> > libpcap capture file.
> > 
> > Take look at:
> > http://www.snort.org/writing_snort_rules.htm
> > for more info about writing snort rules
> 
> Hmm.  We've recently had recommendations for both ntop and snort in
> response to people trying to do some sort of network monitoring
> process.
> 
> The tcpdump.org Web site has a "Related Projects" page:
> 
>  http://www.tcpdump.org/related.html
> 
> describing various other network traffic capture/analysis/etc.
> projects; perhaps the Ethereal Web site should do something along
> those lines?