-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Netoptics work great. Check out their aggregation taps.
Some 4-port fiber gig taps, including Netoptics ones, drop frames when
aggregate utilization exceeds 1 Gbit/s. That can be 500 east + 501 west
or 1001 west, or 251 in each of 4 ports or whatever.
I'd heard about a kiddie porn case getting tossed because the defense
successfully argued law enforcement's tap may have dropped frames. I
didn't believe it until I measured this myself with a packet blaster.
I used VSS taps in my tests. Brian Chee of the University of Hawaii
tried this before me with a Netoptics tap, with similar results:
Endicott-Popovsky, B.E., Chee, B. and Frincke, D. Role of Calibration as
Part of Establishing Foundation for Expert Testimony, in Proceedings 3rd
Annual IFIP WG 11.9 Conference January 29-31, 2007, Orlando, FL.
dn
I'd heard about a kiddie porn case getting tossed because the defense
successfully argued law enforcement's tap may have dropped frames. I
didn't believe it until I measured this myself with a packet blaster.
I would like to see a citation for this case. Evidence from network taps would be very rare in a child explotation case, and extremely unusual for
it to be the sole evidence in such a case. Despite the "CSI effect,"
the existance of perfect data is more suspicious than glitchy data in a criminal case. Sounds a bit like the story of a case being dismissed because a computer banner said "Welcome" (no such case has ever been found).
If you had said it was a narcotics case, I would be less skeptical.
Endicott-Popovsky, B.E., Chee, B. and Frincke, D. Role of Calibration as
Part of Establishing Foundation for Expert Testimony, in Proceedings 3rd
Annual IFIP WG 11.9 Conference January 29-31, 2007, Orlando, FL.
Thanks for the citation. Using an aggregation tap for a criminal investigation is not a good idea, but I guess it wouldn't surprise me if someone did. Investigators should understand the limitations of their equipment and as suggested check its calibration with known data.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'd heard about a kiddie porn case getting tossed because the defense
successfully argued law enforcement's tap may have dropped frames. I
didn't believe it until I measured this myself with a packet blaster.
I would like to see a citation for this case.
Dr. Endicott-Popovsky told me about the case in a phone call earlier
this year. My recollection is that she told me only the details about
the tap's use in the case, and not the name of the case.
You might check directly with her. I believe she's at the University of
Washington.
Endicott-Popovsky, B.E., Chee, B. and Frincke, D. Role of Calibration as
Part of Establishing Foundation for Expert Testimony, in Proceedings 3rd
Annual IFIP WG 11.9 Conference January 29-31, 2007, Orlando, FL.
Thanks for the citation. Using an aggregation tap for a criminal
investigation is not a good idea, but I guess it wouldn't surprise me if
someone did. Investigators should understand the limitations of their
equipment and as suggested check its calibration with known data.
Right. The only point with ops relevance is to be aware that some
gigabit fiber taps capture just that -- exactly one gigabit per second,
but not more.
dn