Alix2d3 packet captures
-
Hello
I am looking to put together some pfsense boxes to distribute at some of my network sites, for packet captures purposes. Will I be able to do that from this board, or do I need something more. As of right now, I am only wanting to plug them into my switches, to allow a remote wire capture from that site, as I do not have a device on each network capable of doing that when needed to diagnose and troubleshoot issues. Should I be able to do that from a CF card, or would I need to install to 2.5" drive, or maybe a flash drive to do that? I have several m0n0wall devices, but they are on soekris, and have not had luck running pfsense on that. So I'm looking at the pcengines alix board. I would put a small pc at the sites, but they need to fit into 19" nema enclosures, so a alix board would be much nicer. Thanks for any suggestions.
-
As of right now, I am only wanting to plug them into my switches,
Presumably into a monitor port on the switches with the switch able to be configured to direct various classes of traffic to the monitor port.
Should I be able to do that from a CF card, or would I need to install to 2.5" drive, or maybe a flash drive to do that?
Depends on whether you want to look at your capture live only or also want to be able to store substantial captures locally and transfer them later (perhaps to avoid competing for bandwidth with the traffic you are capturing).
The Alix possibly doesn't have the CPU capacity for sustained captures at 100Mbps and even if it did you would need careful choice of mass storage device (possibly a SSD) to hold captures of sustained 100Mbps.
With a notebook hard drive or good quality SLC Compact Flash card you could run the "full" version of pfSense and just write captures to the system disk OR you could run the nano BSD version of pfSense and write captures to USB flash drives.
-
Presumably into a monitor port on the switches with the switch able to be configured to direct various classes of traffic to the monitor port.
Correct!
Depends on whether you want to look at your capture live only or also want to be able to store substantial captures locally and transfer them later (perhaps to avoid competing for bandwidth with the traffic you are capturing).
Well, I'm not sure how to look at it live only, but basically, would like to capture, the typical 100 lines or whatnot, and usually its something specific looking for. And these are wireless sites, so traffic is only in the 10-20mb range, at peak even. Just looking to save driving 30 min just to plug laptop in for a wirecapture. Is the alix cpu the main thing limiting doing a full 100mbs capture? If so, I should be fine with the lower traffic volumes then?
In regards to the drive, is it possible to connect a alix to a 2.5" drive? I'm not going to be doing a ton of writes, just one here and there, of small sizes… If its going to be a huge capture, I'll probably go on site to do it. Just trying to eliminate alot of un-needed running. What are the limitations of the nanoBSD version on a usb flash?
Thanks
-
Well, I'm not sure how to look at it live only,
Live capture can be down by ssh into pfSense, login and use tcpdump shell command. OR through web GUI: Diagnostics -> Packet Capture.
Is the alix cpu the main thing limiting doing a full 100mbs capture?
Alix is quoted as capable of about 85Mbps forwarding. I expect it probable wouldn't be able to handle 100Mbps in, pass that to packet capture application, decode it and send output over network. but I haven't tested it.
Packet capture has options to filter traffic in the kernel so the capture application doesn't have to process all the traffic. For example, the capture can request show me the TCP traffic involving a specific IP address an specific port.
If so, I should be fine with the lower traffic volumes then?
I expect so.
In regards to the drive, is it possible to connect a alix to a 2.5" drive?
The Alix supposed has a connector for a notebook IDE drive (but not for a SATA drive).
I'm not going to be doing a ton of writes, just one here and there, of small sizes… If its going to be a huge capture, I'll probably go on site to do it. Just trying to eliminate alot of un-needed running. What are the limitations of the nanoBSD version on a usb flash?
Don't know if the Alix will boot off a USB flash drive. It is documented as booting off a Compact Flash card connected to the motherboard. NanoBSD version runs with system disk normally READ ONLY.
-
It will not boot from USB.
Though you could mount a drive connected via USB for additional storage with some manual hacking.
Another option for doing captures there would be realtime captures over ssh using wireshark to grab the captures remotely. I detail that procedure in the book, if you have it. There are instructions (not specific to pfSense, but might be close enough) in the wireshark FAQ for doing a capture over ssh into a local wireshark instance.