I want to run a constant 60 minute packet buffer (tcpdump) on my sensors so that I can go back and look at the full breadth of all traffic passing by my interface to help make better decisions and more datapoints during incident response.
Anyone done this on a Cisco sensor before? I run tcpdump with increasing regularity to do packetdumps for inspection on the sensors with no issues -- outside of diskspace am I missing something?
While I fully trust that the stock cisco answer will be "don't do that", my question is really more to the forum at large -- has anyone done this before and if so -- did it work ok -- did your sensor performance degrade significantly? Yes I could put another box out there to do this, but its so clean if I can keep it in the context of the sensors.