With regard to equipment the first criteria would be a laptop with a high performance Core i7 processor with plenty L3 cache, considerable main memory, and sporting at least one Thunderbolt port. I'm partial to Apple platforms, but recently HP and others have jumped on the Thunderbolt bandwagon. Here are several options:
- Apple Macbook Pro 15" with Retina Display, 2.8Ghz, Quad-core Intel Core i7, Turbo boost up to 4Ghz, 16GB memory, 1TB PCIE Flash disk. $3,199 from Apple.
- HP ZBook 15" with Quad-core Intel Core i7-4800MQ, 32GB memory, 256GB Sata Flash Drive. $3,810 from CDW.
- Lenovo Thinkpad W540, 15.6" display, Intel Core-i7-4700MQ, 8GB of memory, 500GB of disk, from Lenovo for $1,119.
While the Apple platform has only half the memory it has four times the disk, with a high speed PCIe flash interface that is considerably faster than the Sata interface used by HP, so all things should balance out. I added the Lenovo as it too has a Thunderbolt interface, but with only 8GB of memory, and a spinning disk the overall system performance with regard to capture will be impacted, consider this the solution on a budget. After some additional checking the Thinkpad W540 can be easily be upgraded to 16GB for $166. Since this system has four memory sockets you can actually buy two of these kits and run it up to 32GB, which for what would then be a $1,500 laptop would be pretty sweet.
Next we need an enclosure with an internal PCIe interface to house a 10GbE capture card. My favorite is the mLogic mLink which sells for $399, and can be purchased from several resellers or directly from Apple. This enclosure has a PCIe 16 lane socket inside, but only 4 lanes of PCIe Gen2 are actually wired up, which is fine. Thunderbolt is a 10Gbps connection and 4 lanes of PCIe Gen2 is theoretically 16Gbps, but after overhead is more like 12Gbps.
For a capture card I'd use the Solarflare SFN7122F which can be purchased from CDW for $1,055. This is a dual port 10G card that includes the necessary Open Unload license so you can also run Solarflare's SolarCapture Pro capture driver (SFS-SCP) which is also available from CDW for $233. Finally, if you want to leverage accurate time stamping of packets via Precision Time Protocol you should buy a PTP (SFS-PTP) license also from CDW for $194.
Finally, every Boy Scout knows you should always be prepared & carry you own two meter 10GbE Direct Attach cable, also $82 from CDW. Ok, now for setup...
First install Linux on the laptop, these are the supported versions for the capture driver: RHEL 5 & 6, SLES 10 & 11. I'd suggest something with a 2.6.32 or newer kernel.
After making yourself comfortable with the system, installing optional stuff, customizing, updating everything, etc... You'll need to visit the SolarCapture support page at Solarflare to install the capture driver & supporting code. First you need to install Open Onload 201310-u1 or newer. I'd suggest at least 201405-u1. For good measure I'd also install the Linux Utilities RPM on this page (version 220.127.116.119 or newer). Finally there is the SolarCapture SDK (version 18.104.22.168). All this covered in the SolarCapture Pro User's Guide (SF-108469-CD) which can also be found on the same webpage. That includes setting up and configuring the software.
So for roughly $5K you can build a pretty robust mobile workstation that can record 10G traffic at wire-rate...