Is it hard to code in Perl a network analyzer if you scan the whole network instead of a single switch?

Question

May I ask this question for experienced programmers in Perl and knows a thing or two about network programming. Here's the thing, We have a program to develop in Perl about network analyzers, our scope is that we only scan traffic passing through the switch where the host is connected to, will it be difficult if we scan the whole network instead of only one switch? Me and my team are wondering if this will take a lot of time in coding it, or maybe it will only take up one line of code, something like that. I hope my question is clear. Thanks in advance.

Answer 1

That's not a problem of Perl, but how you get the data to the machine where your analyzer runs. Usually you will only get data for the local machine when using a switch (except for ARP requests), so you need get access to a specifically configured port of the switch (mirror port). To get access to all the data in the network you either need to be connected to all the mirror ports of all switches in the network, have special devices to collect all traffic (network tap) or create some kind of sensor network to accumulate data from various places.

Apart from that I would not use Perl for high-speed network analysis (which is usually needed if you want to analyze data from the whole network). Even with C it is not simple to do a fast capture and Perl introduces too much overhead. But you might use Perl for the analysis of a reduced dataset, e.g. after doing lots of filtering on the original data.