On Sat, Jul 24, 2010 at 4:28 PM, <valdis.kletni...@vt.edu> wrote: > On Sat, 24 Jul 2010 15:40:58 EDT, Christopher Morrow said: >> why wouldn't you just do the intercept before the LSN? > > That gets interesting too, when several tens of thousands of users may all be > behind the same LSN. Making sure you intercept only the right user's traffic > gets a lot more interesting in front of the LSN. Doing it behind the LSN > means > you can snarf up just the traffic heading to/from one NAT'ed IP, which is > hopefully changing not all that often. Doing it in front of the LSN means you > need to decide whether to capture the data in real time on a per-flow basis > (consider the fun involved in catching a SYN packet outbound - what's your > time > budget between when the miscreant's packet leaves his host and when you have > to > catch it on the outbound side of the LSN)...
innocent until proven guilty... plus probably a large portion of the calea things aren't for a 'miscreant' anyway but for other reasons. say, i wonder how many actual calea requests have been sent out anyway?? (I know one very large network has yet to get a single one, or so the grape vine tells me.) > >
