protocol analyzer for a switch

Archived from groups: comp.dcom.lans.ethernet (More info?)

CJ wrote:

> Can anyone tell me if there is a packet sniffer out there (preferebly a
> free one) that can analyze the network through a switch?
>
> Right now we use ethereal, but we have to plug it into a regular hub, then
> into the network switch to see the broadcast packets.

No sniffer can analyze packets it can't see. Some switches can be
configured to monitor a port, but that's about all.

Archived from groups: comp.dcom.lans.ethernet (More info?)

Walter Roberson wrote:
> In article <Q4OdnVQPtLGTP2PcRVn-ug@rogers.com>,
> James Knott <james.knott@rogers.com> wrote:
> :CJ wrote:
>
> :> Can anyone tell me if there is a packet sniffer out there (preferebly a
> :> free one) that can analyze the network through a switch?
>
> :> Right now we use ethereal, but we have to plug it into a regular hub, then
> :> into the network switch to see the broadcast packets.
>
> :No sniffer can analyze packets it can't see. Some switches can be
> :configured to monitor a port, but that's about all.
>
> Expanding a little on James' answer:
>
> It's relatively common on managed switches to offer a port "mirroring"
> feature, which copies port traffic to a different location. Nortel
> calls it mirroring; Cisco calls it "SPAN" if the data is sent to
> a local port, "RSPAN" if the traffic is sent remotely.
>
> The selection criteria for this copying vary greatly between
> manufacturers and models; for some it copies everything always;
> others allow you to be selective with criteria such as source port,
> source IP, destination port, destination IP, protocol, or VLAN tag
> [e.g., the Nortel Baystack 470 can select based upon most of these.]
>
> In some switches, the destination port the traffic is being copied
> to is isolated from everything else and will -only- transmit the
> copied data. On other switches [the Nortel Accelar 1100/1200 series
> are the only ones that come to mind] the destination port can still
> be used for regular traffic, thus making it easier to monitor through
> the network.]
>
> Different switches also differ on two other important features:
> whether VLAN tags get stripped off; and whether the original source MAC
> address of the packet is preserved or if the original source MAC
> is replaced with the MAC of the egress port of the switch.
>
> I ran across some switch literature a couple of months ago for a model
> which required that one set the egress port to match the VLAN # of the
> port to be monitored, and the VLAN tag always got stripped out.
> Monitoring a complete trunk was not possible on that device.
>
>
> With regards to software: Fluke Networks "Network Inspector" has
> an option (I think it might be extra cost) of a "Port Mirroring Wizard"
> which knows about several different models of switches and how to
> configure them to send traffic along to be monitored. I have never
> played with that feature myself as I don't have redundant links
> for management purposes so activating mirroring would cut off the
> network.
Network monitoring/snooping used to be soooooo easy. Nortel's port
mirroring can be a pain to setup with .1q in involved, and multicast
traffic will still not get mirrored, at least not in versions of code
that I have seen.

I would recommend purchasing a little 'pocket' hub that you can drag
with you. Jack the segments through the hub, and place the snooping
device on the hub. There are still caveats of course...

-mike

Archived from groups: comp.dcom.lans.ethernet (More info?)

In article <MQxLd.656$J5.10671@news.more.net>,
Michael Roberts <robertsmj@missouri.edu> wrote:
>Walter Roberson wrote:
>> In article <Q4OdnVQPtLGTP2PcRVn-ug@rogers.com>,
>> James Knott <james.knott@rogers.com> wrote:
>> :CJ wrote:
>>
>> :> Can anyone tell me if there is a packet sniffer out there (preferebly a
>> :> free one) that can analyze the network through a switch?
>>
>> :> Right now we use ethereal, but we have to plug it into a regular hub, then
>> :> into the network switch to see the broadcast packets.
>>
>> :No sniffer can analyze packets it can't see. Some switches can be
>> :configured to monitor a port, but that's about all.
>>
>> Expanding a little on James' answer:
>>
>> It's relatively common on managed switches to offer a port "mirroring"
>> feature, which copies port traffic to a different location. Nortel
>> calls it mirroring; Cisco calls it "SPAN" if the data is sent to
>> a local port, "RSPAN" if the traffic is sent remotely.
>>
>> The selection criteria for this copying vary greatly between
>> manufacturers and models; for some it copies everything always;
>> others allow you to be selective with criteria such as source port,
>> source IP, destination port, destination IP, protocol, or VLAN tag
>> [e.g., the Nortel Baystack 470 can select based upon most of these.]
>>
>> In some switches, the destination port the traffic is being copied
>> to is isolated from everything else and will -only- transmit the
>> copied data. On other switches [the Nortel Accelar 1100/1200 series
>> are the only ones that come to mind] the destination port can still
>> be used for regular traffic, thus making it easier to monitor through
>> the network.]
>>
>> Different switches also differ on two other important features:
>> whether VLAN tags get stripped off; and whether the original source MAC
>> address of the packet is preserved or if the original source MAC
>> is replaced with the MAC of the egress port of the switch.
>>
>> I ran across some switch literature a couple of months ago for a model
>> which required that one set the egress port to match the VLAN # of the
>> port to be monitored, and the VLAN tag always got stripped out.
>> Monitoring a complete trunk was not possible on that device.
>>
>>
>> With regards to software: Fluke Networks "Network Inspector" has
>> an option (I think it might be extra cost) of a "Port Mirroring Wizard"
>> which knows about several different models of switches and how to
>> configure them to send traffic along to be monitored. I have never
>> played with that feature myself as I don't have redundant links
>> for management purposes so activating mirroring would cut off the
>> network.
>Network monitoring/snooping used to be soooooo easy. Nortel's port
>mirroring can be a pain to setup with .1q in involved, and multicast
>traffic will still not get mirrored, at least not in versions of code
>that I have seen.
>
>I would recommend purchasing a little 'pocket' hub that you can drag
>with you. Jack the segments through the hub, and place the snooping
>device on the hub. There are still caveats of course...
>
>-mike


I'm told some cheapo stuff with a "hub" badge is really a switch :-(.

ebay has 'em real cheap.

--

a d y k e s @ p a n i x . c o m

Don't blame me. I voted for Gore.