I'm looking for a DIY alternative to an IOTA 1G which I evaluated for work, but it's been floating around in waiting-for-PO-approval hell.
Summary of the IOTA's features:
- 1 management port
- 1 inbound tap port (can be used to tap a span, as well)
- 1 outbound tap port
- Tap ports are linked, in 1 out 2, in 2 out 1.
- Tap is 1 GB speed
- 1 TB of onboard SSD storage
- Tapped traffic is used to generate logs, which get turned into graphs in grafana
- Grafana generates on-demand links to pcaps of the displayed data which can be downloaded for additional analysis
Usage for this would be to ship to branch offices, plug and play install for non-technical person.
- Primary: Short term deployment - Capture a months worth of traffic for analysis.
- Secondary: Short term deployment - Near real time analysis for troubleshooting live issues.
- Tertiary: Long term deployment.
Honestly the IOTA does more than I would want, better than I'll be able to copy, and cheaper that it will cost me to develop. I'd prefer it if I could just get my PO signed. But in the mean time, actual work is mostly dead, and I enjoy tinkering with stuff like this, especially when it comes to networking specific stuff.
I think I have everything mostly figured out, but I'm not sure how to setup the tap ports.
On the logging, charts, and graphs side of things; I think I'll be able to generate syslog data from the inbound tap port, and then forward that into ELK or Graylog (on the same box) and work on charts and graphs from there. I'm probably also going to enable Netflow and SNMP. I'm not sure if it's possible to easily generate the log/chart data from pcaps, but if so I'd prefer it, and I'd probably scrap the syslog/snmp/netflow data.
On the hardware side of things I'm looking at building something like this, at least as a POC. I may beef up the specs a bit if the POC works out, and I see a potential for benefit.
On the capture side, I'm planning on a rolling capture. Initially I was thinking hourly, but I think I may need to do a short time frame like 5-15 minutes to allow data analysis as close to real time as possible. Maybe small duration for the rolling capture, and then merge them into hourly pcaps every hour. I'm only going to be capturing on the primary tap port.
I'm not going to bother trying to integrate the log/chart webGUI filter into the pcap filter directly, but I think I'll be able to setup a script to generate a temp pcap by combining the archive pcaps based on timestamp constraints, and then apply filters against the temp pcap to generate the desired filtered pcap result.
The part I'm really not sure about is how to setup the two tap interfaces. I don't want either interface to do anything to the traffic. I just want it to flow in one port and out the other and vise versa. The terms I've been googling haven't been leading me to any good results.
No comments:
Post a Comment