Archived from groups: comp.dcom.lans.ethernet (
More info?)
In article <MQxLd.656$J5.10671@news.more.net>,
Michael Roberts <robertsmj@missouri.edu> wrote:
>Walter Roberson wrote:
>> In article <Q4OdnVQPtLGTP2PcRVn-ug@rogers.com>,
>> James Knott <james.knott@rogers.com> wrote:
>> :CJ wrote:
>>
>> :> Can anyone tell me if there is a packet sniffer out there (preferebly a
>> :> free one) that can analyze the network through a switch?
>>
>> :> Right now we use ethereal, but we have to plug it into a regular hub, then
>> :> into the network switch to see the broadcast packets.
>>
>> :No sniffer can analyze packets it can't see. Some switches can be
>> :configured to monitor a port, but that's about all.
>>
>> Expanding a little on James' answer:
>>
>> It's relatively common on managed switches to offer a port "mirroring"
>> feature, which copies port traffic to a different location. Nortel
>> calls it mirroring; Cisco calls it "SPAN" if the data is sent to
>> a local port, "RSPAN" if the traffic is sent remotely.
>>
>> The selection criteria for this copying vary greatly between
>> manufacturers and models; for some it copies everything always;
>> others allow you to be selective with criteria such as source port,
>> source IP, destination port, destination IP, protocol, or VLAN tag
>> [e.g., the Nortel Baystack 470 can select based upon most of these.]
>>
>> In some switches, the destination port the traffic is being copied
>> to is isolated from everything else and will -only- transmit the
>> copied data. On other switches [the Nortel Accelar 1100/1200 series
>> are the only ones that come to mind] the destination port can still
>> be used for regular traffic, thus making it easier to monitor through
>> the network.]
>>
>> Different switches also differ on two other important features:
>> whether VLAN tags get stripped off; and whether the original source MAC
>> address of the packet is preserved or if the original source MAC
>> is replaced with the MAC of the egress port of the switch.
>>
>> I ran across some switch literature a couple of months ago for a model
>> which required that one set the egress port to match the VLAN # of the
>> port to be monitored, and the VLAN tag always got stripped out.
>> Monitoring a complete trunk was not possible on that device.
>>
>>
>> With regards to software: Fluke Networks "Network Inspector" has
>> an option (I think it might be extra cost) of a "Port Mirroring Wizard"
>> which knows about several different models of switches and how to
>> configure them to send traffic along to be monitored. I have never
>> played with that feature myself as I don't have redundant links
>> for management purposes so activating mirroring would cut off the
>> network.
>Network monitoring/snooping used to be soooooo easy. Nortel's port
>mirroring can be a pain to setup with .1q in involved, and multicast
>traffic will still not get mirrored, at least not in versions of code
>that I have seen.
>
>I would recommend purchasing a little 'pocket' hub that you can drag
>with you. Jack the segments through the hub, and place the snooping
>device on the hub. There are still caveats of course...
>
>-mike
I'm told some cheapo stuff with a "hub" badge is really a switch :-(.
ebay has 'em real cheap.
--
a d y k e s @ p a n i x . c o m
Don't blame me. I voted for Gore.