Caveat: This documentation is part of a larger set of proprietary information I created for a fortune 1000 company. This information is not confidential.
Problem
Non-networking groups are not familiar with show to size packet capture or “streaming capture” devices. Sizing these devices is mathematically a linear system of constraints.
The following set of governing equations were developed for a security team to allow them to correctly size ExtraHop appliances attached to an out-of-band fabric (in turn, attached to the production IP fabric).
Theoretical
pRI = pRO = 10Gbps or 100GbpsEquations
MMD = DS/eRI = DS x 1 / eRISimple Example: Caculating minutes of data on disk
A 100GBdisk, eRI=10Gbps(=758GB/m)
10 Gbps x 60s/m = 600 Gbpm
600 Gbpm x 1GB/8Gb = 75GB/m
MMD = 100GB / 75GB/M = 1.33 minutes