I am looking for a implement a IP-based Geolocation solution. This essentially involves 2 main steps :- 1) Grab IP Traffic from Remote locations 2) Analyze/compare the grabbed IPs with an approriate GeoLocation Database (like 'Maxmind') and determine Latitude/Longitude/City/Country/ISP, etc
I have looked into the following 2 options for step (1) :- 1) http://rpcap.sourceforge.net/ - I ran into issues while building the rpcap server on a Linux box. Also, this seems to be a development version and did not find any recent software updates/builds. 2) WinPCap - I built the "rpcapd" server on a linux box. I installed Wireshark on a Windows box and could add the remote interfaces of the linux boxes running rpcapd.
The above 2 methods involves capturing live network traffic and sending it to a central machine for consolidation/analysis. I am not quite convinced that this is the optimal way to grab IP traffic. Resource utilization in terms of network bandwidth, CPU, etc and data security on the PROD hosts that run the rpcap server is matter of concern too.
Does anybody have/share experience on such remote packet capture solutions ? Is there a better way (Open Source alternatives) to capture/consolidate IP traffic from multiple remote hosts ?
Thanx !