| Author |
Message |
CJ
Guest
|
 Posted:
Tue Feb 01, 2005 1:32 am Post subject:
protocol analyzer for a switch |
|
|
Can anyone tell me if there is a packet sniffer out there (preferebly a free
one) that can analyze the network through a switch?
Right now we use ethereal, but we have to plug it into a regular hub, then
into the network switch to see the broadcast packets.
Anyone? |
|
| Back to top |
|
 |
James Knott
Guest
|
| Posted:
Tue Feb 01, 2005 2:24 am Post subject:
Re: protocol analyzer for a switch |
|
|
CJ wrote:
| Quote: | Can anyone tell me if there is a packet sniffer out there (preferebly a
free one) that can analyze the network through a switch?
Right now we use ethereal, but we have to plug it into a regular hub, then
into the network switch to see the broadcast packets.
|
No sniffer can analyze packets it can't see. Some switches can be
configured to monitor a port, but that's about all. |
|
| Back to top |
|
|
Walter Roberson
Guest
|
| Posted:
Tue Feb 01, 2005 2:49 am Post subject:
Re: protocol analyzer for a switch |
|
|
In article <Q4OdnVQPtLGTP2PcRVn-ug@rogers.com>,
James Knott <james.knott@rogers.com> wrote:
:CJ wrote:
:> Can anyone tell me if there is a packet sniffer out there (preferebly a
:> free one) that can analyze the network through a switch?
:> Right now we use ethereal, but we have to plug it into a regular hub, then
:> into the network switch to see the broadcast packets.
:No sniffer can analyze packets it can't see. Some switches can be
:configured to monitor a port, but that's about all.
Expanding a little on James' answer:
It's relatively common on managed switches to offer a port "mirroring"
feature, which copies port traffic to a different location. Nortel
calls it mirroring; Cisco calls it "SPAN" if the data is sent to
a local port, "RSPAN" if the traffic is sent remotely.
The selection criteria for this copying vary greatly between
manufacturers and models; for some it copies everything always;
others allow you to be selective with criteria such as source port,
source IP, destination port, destination IP, protocol, or VLAN tag
[e.g., the Nortel Baystack 470 can select based upon most of these.]
In some switches, the destination port the traffic is being copied
to is isolated from everything else and will -only- transmit the
copied data. On other switches [the Nortel Accelar 1100/1200 series
are the only ones that come to mind] the destination port can still
be used for regular traffic, thus making it easier to monitor through
the network.]
Different switches also differ on two other important features:
whether VLAN tags get stripped off; and whether the original source MAC
address of the packet is preserved or if the original source MAC
is replaced with the MAC of the egress port of the switch.
I ran across some switch literature a couple of months ago for a model
which required that one set the egress port to match the VLAN # of the
port to be monitored, and the VLAN tag always got stripped out.
Monitoring a complete trunk was not possible on that device.
With regards to software: Fluke Networks "Network Inspector" has
an option (I think it might be extra cost) of a "Port Mirroring Wizard"
which knows about several different models of switches and how to
configure them to send traffic along to be monitored. I have never
played with that feature myself as I don't have redundant links
for management purposes so activating mirroring would cut off the
network.
--
This is not the same .sig the second time you read it. |
|
| Back to top |
|
|
Michael Roberts
Guest
|
| Posted:
Tue Feb 01, 2005 2:57 am Post subject:
Re: protocol analyzer for a switch |
|
|
Walter Roberson wrote:
| Quote: | In article <Q4OdnVQPtLGTP2PcRVn-ug@rogers.com>,
James Knott <james.knott@rogers.com> wrote:
:CJ wrote:
:> Can anyone tell me if there is a packet sniffer out there (preferebly a
:> free one) that can analyze the network through a switch?
:> Right now we use ethereal, but we have to plug it into a regular hub, then
:> into the network switch to see the broadcast packets.
:No sniffer can analyze packets it can't see. Some switches can be
:configured to monitor a port, but that's about all.
Expanding a little on James' answer:
It's relatively common on managed switches to offer a port "mirroring"
feature, which copies port traffic to a different location. Nortel
calls it mirroring; Cisco calls it "SPAN" if the data is sent to
a local port, "RSPAN" if the traffic is sent remotely.
The selection criteria for this copying vary greatly between
manufacturers and models; for some it copies everything always;
others allow you to be selective with criteria such as source port,
source IP, destination port, destination IP, protocol, or VLAN tag
[e.g., the Nortel Baystack 470 can select based upon most of these.]
In some switches, the destination port the traffic is being copied
to is isolated from everything else and will -only- transmit the
copied data. On other switches [the Nortel Accelar 1100/1200 series
are the only ones that come to mind] the destination port can still
be used for regular traffic, thus making it easier to monitor through
the network.]
Different switches also differ on two other important features:
whether VLAN tags get stripped off; and whether the original source MAC
address of the packet is preserved or if the original source MAC
is replaced with the MAC of the egress port of the switch.
I ran across some switch literature a couple of months ago for a model
which required that one set the egress port to match the VLAN # of the
port to be monitored, and the VLAN tag always got stripped out.
Monitoring a complete trunk was not possible on that device.
With regards to software: Fluke Networks "Network Inspector" has
an option (I think it might be extra cost) of a "Port Mirroring Wizard"
which knows about several different models of switches and how to
configure them to send traffic along to be monitored. I have never
played with that feature myself as I don't have redundant links
for management purposes so activating mirroring would cut off the
network.
Network monitoring/snooping used to be soooooo easy. Nortel's port |
mirroring can be a pain to setup with .1q in involved, and multicast
traffic will still not get mirrored, at least not in versions of code
that I have seen.
I would recommend purchasing a little 'pocket' hub that you can drag
with you. Jack the segments through the hub, and place the snooping
device on the hub. There are still caveats of course...
-mike |
|
| Back to top |
|
|
Jens Link
Guest
|
| Posted:
Tue Feb 01, 2005 3:29 am Post subject:
Re: protocol analyzer for a switch |
|
|
James Knott <james.knott@rogers.com> writes:
| Quote: | No sniffer can analyze packets it can't see.
|
You can flood the switch with (faked) arp-packets causing the switch to
act like an hub, but this will definetly influence any attempt to do
some troubleshooting.
Jens |
|
| Back to top |
|
|
Al Dykes
Guest
|
| Posted:
Tue Feb 01, 2005 6:12 am Post subject:
Re: protocol analyzer for a switch |
|
|
In article <MQxLd.656$J5.10671@news.more.net>,
Michael Roberts <robertsmj@missouri.edu> wrote:
| Quote: | Walter Roberson wrote:
In article <Q4OdnVQPtLGTP2PcRVn-ug@rogers.com>,
James Knott <james.knott@rogers.com> wrote:
:CJ wrote:
:> Can anyone tell me if there is a packet sniffer out there (preferebly a
:> free one) that can analyze the network through a switch?
:> Right now we use ethereal, but we have to plug it into a regular hub, then
:> into the network switch to see the broadcast packets.
:No sniffer can analyze packets it can't see. Some switches can be
:configured to monitor a port, but that's about all.
Expanding a little on James' answer:
It's relatively common on managed switches to offer a port "mirroring"
feature, which copies port traffic to a different location. Nortel
calls it mirroring; Cisco calls it "SPAN" if the data is sent to
a local port, "RSPAN" if the traffic is sent remotely.
The selection criteria for this copying vary greatly between
manufacturers and models; for some it copies everything always;
others allow you to be selective with criteria such as source port,
source IP, destination port, destination IP, protocol, or VLAN tag
[e.g., the Nortel Baystack 470 can select based upon most of these.]
In some switches, the destination port the traffic is being copied
to is isolated from everything else and will -only- transmit the
copied data. On other switches [the Nortel Accelar 1100/1200 series
are the only ones that come to mind] the destination port can still
be used for regular traffic, thus making it easier to monitor through
the network.]
Different switches also differ on two other important features:
whether VLAN tags get stripped off; and whether the original source MAC
address of the packet is preserved or if the original source MAC
is replaced with the MAC of the egress port of the switch.
I ran across some switch literature a couple of months ago for a model
which required that one set the egress port to match the VLAN # of the
port to be monitored, and the VLAN tag always got stripped out.
Monitoring a complete trunk was not possible on that device.
With regards to software: Fluke Networks "Network Inspector" has
an option (I think it might be extra cost) of a "Port Mirroring Wizard"
which knows about several different models of switches and how to
configure them to send traffic along to be monitored. I have never
played with that feature myself as I don't have redundant links
for management purposes so activating mirroring would cut off the
network.
Network monitoring/snooping used to be soooooo easy. Nortel's port
mirroring can be a pain to setup with .1q in involved, and multicast
traffic will still not get mirrored, at least not in versions of code
that I have seen.
I would recommend purchasing a little 'pocket' hub that you can drag
with you. Jack the segments through the hub, and place the snooping
device on the hub. There are still caveats of course...
-mike
|
I'm told some cheapo stuff with a "hub" badge is really a switch :-(.
ebay has 'em real cheap.
--
a d y k e s @ p a n i x . c o m
Don't blame me. I voted for Gore. |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in