Topic
  • 5 replies
  • Latest Post - ‏2015-10-29T13:42:04Z by gregorin
gregorin
gregorin
5 Posts

Pinned topic QIF & PCAP Hardware

‏2015-10-27T13:13:50Z | hardware pcap qif

Hello everybody  ,

I am a bit confused about QIF \PCAP Hardware requirements , please help .Smile

The Forensics installation  guide states that PCAP requires this minimum (picture below)but when you look at Installation guides it states you need almost identical requirements for both PCAP and FORENSICES .

The question is does the PCAP really spouse to be as powerful as the Qradar Forensic ? 

Thank you


 


 

  • Aaron_Breen(IBM)
    Aaron_Breen(IBM)
    3 Posts

    Re: QIF & PCAP Hardware

    ‏2015-10-27T14:02:28Z  

    Moved this to QIF subforums and requested input from dev / docs to this post

  • TSilliman
    TSilliman
    6 Posts

    Re: QIF & PCAP Hardware

    ‏2015-10-27T16:35:37Z  

    Hello,

    Yes, the PCAP box does need to have resources at least that of the QIF box, if not greater, to allow the high throughput to disk as well as service the indexing of that data.  It would be valuable to specify what data throughput you are expecting so that we can advise on proper details of the configuration such as RAID striping, index allocation, etc. 

    Thank you,

    Tom

  • gregorin
    gregorin
    5 Posts

    Re: QIF & PCAP Hardware

    ‏2015-10-28T09:33:11Z  

    Thank you for the help,

     

    We are talking about max 1-2 gig throughput , QIF hardware is very expinsve if there is no need for PCAP to have the excat same hardware will be great .

     

  • TSilliman
    TSilliman
    6 Posts

    Re: QIF & PCAP Hardware

    ‏2015-10-29T13:14:31Z  
    • gregorin
    • ‏2015-10-28T09:33:11Z

    Thank you for the help,

     

    We are talking about max 1-2 gig throughput , QIF hardware is very expinsve if there is no need for PCAP to have the excat same hardware will be great .

     

    The packet capture and Forensics technologies have several challenges to overcome to work as required.  It will definitely be important to work with your sales person to properly spec the machine to handle the lower throughput but because of the way information is captured, indexed, and written to disk it is critical that no bottlenecks are introduced through a reduction in RAM or number of spindles in the RAID array.

     

    Hope this helps,

    Tom

  • gregorin
    gregorin
    5 Posts

    Re: QIF & PCAP Hardware

    ‏2015-10-29T13:42:04Z  

    Thank you for the help ,