ooops works better when I send from an approved address .. anyway ... anyone here use, or know much about these units other than the limited website details http://www.endace.com/ Wondering if anyone is using, or has used these and what they think of these Certainly looks like an interesting mix of open source and hardware embedding
anyone here use, or know much about these units other than the limited website details http://www.endace.com/
Wondering if anyone is using, or has used these and what they think of these
Certainly looks like an interesting mix of open source and hardware embedding
Hi Gavin, Endace is a commercialised product spun off from the WAND group at the University of Waikato, and as such a fair number of former and current WLUG members have used these. The cards themselves are fairly impressive - I have used them to do line rate capture of saturated gige traffic (something over 1.1Mpps I think?). They are in a fairly niche market however, and unless you're actually wanting to do traffic analysis or anything you might need a network coprocessor for, probably not really something you can slip into your Christmas wishlist.... If you have any specific queries (ie, you actually want to buy one and want real info) it's probably best to talk to Endace directly, as they will be able to give better information about their current product range and so on. There might even be some Endace employees still lurking on the list here somewhere... And if you just want some more general info about how it works, feel free to ask here, although it's not *really* on topic for WLUG.
Good info. I was asked a bit about them, and knew very little the website is a bit vague but as you said, the cards look specific and seem to be focussed on packet tracing more than typical security I'm guessing traffic shaping and ... Dare I say it .. an internet that offers different service to different packets ( saves clogging the telecom tubes with voip traffic) I guess I am interested in what they would be used for rather than needing the hardware myself. Its pretty top level I mean ok Snort and other intrusion detection I get, but Ethereal, Ntop.. what would most networks need these for ? Quality of service checks maybe? or could this help limit the impact of a dos attack ? And I wouldn't be surprised if we had employees in the Lug since the R&D centre is here in the Waikato. I'm more curious as to where these would normally be used, and for what sort of activity other than all the normal government spying that we all live in constant fear of ;-) Those who use these tools more might be willing to help educate me. Even if I suspect its a topic in its own right. Daniel Lawson wrote:
Hi Gavin,
Endace is a commercialised product spun off from the WAND group at the University of Waikato, and as such a fair number of former and current WLUG members have used these.
The cards themselves are fairly impressive - I have used them to do line rate capture of saturated gige traffic (something over 1.1Mpps I think?). They are in a fairly niche market however, and unless you're actually wanting to do traffic analysis or anything you might need a network coprocessor for, probably not really something you can slip into your Christmas wishlist....
If you have any specific queries (ie, you actually want to buy one and want real info) it's probably best to talk to Endace directly, as they will be able to give better information about their current product range and so on. There might even be some Endace employees still lurking on the list here somewhere...
And if you just want some more general info about how it works, feel free to ask here, although it's not *really* on topic for WLUG.
_______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
the website is a bit vague but as you said, the cards look specific and seem to be focussed on packet tracing more than typical security
I'm guessing traffic shaping and ... Dare I say it .. an internet that offers different service to different packets ( saves clogging the telecom tubes with voip traffic)
Not really traffic shaping. They are intended to be traffic monitors, rather than manipulators. While you could use them for shaping traffic, it would involve the cards being able to transmit data themselves, and unless that's changed recently they don't actually do that. The easy distinction is: they aren't network cards. They might look like them, but they don't have a MAC address, and you cannot use them as a NIC. This may have changed recently, but it's beyond the original intention of the card as far as I know.
I guess I am interested in what they would be used for rather than needing the hardware myself. Its pretty top level
WAND, and probably most other people using them, use them for highly accurate passive captures of network traffic. They have a GPS synchronised clock, and they insert nano-second resolution timestamps in hardware. Because it's done in hardware they aren't affected by system loading. Using something like tcpdump will give less accurate results because the pcap timestamp is only microseconds, and if the host happens to be busy doing other things (like writing a file to disk, or processing another packet on another interface) it'll delay the timestamp. You could use them for Snort and so on, but it's only really worth it if you want nanosecond timestamping or if you think loading might get high enough that a normal card will have problems dealing with it.
participants (2)
-
Daniel Lawson -
Gavin Denby