Sniffers and switched networks
jack klein
Right now we are running a shared 10mb ethernet and using Network
General's Sniffer for network troubleshooting and monitoring.
We plan to move to a switched based network with some 100mb ethernet.
I realize that good management software is needed and we will need to
set up some SNMP program but really don't want to give up the Sniffer.
I'm wondering if anyone else has gone through this and how they still
incorporate the Sniffer in the scheme of things.
Feel free to email me or post a reply. Thanks in advance.
Jack Klein
jkl...@post-gazette.com
jack klein
Eric Ewanco
j...@post-gazette.com (jack klein) writes:
You need a switch which supports copying switched packets to a monitor port, a
feature sometimes called frame copy. This feature will be available shortly
for the Whittaker Xyplex LSP 610 switch engine. It permits you to copy all the
packets switched to a particular port out another port for monitoring on a
Sniffer (tm). Without such a feature, of course, you will be unable to see
traffic which is not destined for the port on which your Sniffer (tm) resides,
and if you are using a star-wired 100-Base T network, you will be effectively
unable to do any traffic monitoring without such a feature.
Hope this helps,
Eric Ewanco
Sniffer (TM) is a registered trademark of Network General Corporation and/or
its wholly owned subsidiaries.
--
# __ __ Eric Ewanco
# IC | XC e...@world.std.com
# ---+--- Software Engineer, Xyplex Inc.
# NI | KA Littleton, Mass.
Peter P. Morrissey
>Right now we are running a shared 10mb ethernet and using Network
>General's Sniffer for network troubleshooting and monitoring.
>We plan to move to a switched based network with some 100mb ethernet.
>I realize that good management software is needed and we will need to
>set up some SNMP program but really don't want to give up the Sniffer.
>I'm wondering if anyone else has gone through this and how they still
>incorporate the Sniffer in the scheme of things.
>Feel free to email me or post a reply. Thanks in advance.
>Jack Klein
>jkl...@post-gazette.com
You have a number of options.
a) Some switches allow you to "mirror" traffic between two ports, out a third
port where you would put the sniffer.
b) If the links are not full duplex, you can sometimes put a repeater in
between the switch port and the end node and hang the sniffer off
the repeater. If you are using full duplex, you can temporarily throttle
down to half duplex on both ends in order to do this.
c) Some vendors offer "taps" that allow you to tap in to a full duplex link.
Frontier has this on their RMON probes and there is a company whose
name I can never remember (I think it starts with sh, something like shimoti,
sounds like they don't have a very good marketing dept.) that sells a software
sniffer that comes with a full duplex tap.
d) Network General will send you a white paper on this topic:
http://www.research.digital.com/wrl/techreports/abstracts/88.4.html
e) Some switches will give you some RMON groups, and other general
traffic data even without RMON.
_Pete Morrissey
_Syracuse University
Lawrence L. Baldwin
You can (and should) still continue to use an analyzer in a switched
network. You'll just need to temporarily attached pocket hub to a
switch port whenever you need to use the analyzer.
Some switches also provide a monitor port that can be roved between any
switch port.
jack klein wrote:
>
> Right now we are running a shared 10mb ethernet and using Network
> General's Sniffer for network troubleshooting and monitoring.
> We plan to move to a switched based network with some 100mb ethernet.
> I realize that good management software is needed and we will need to
> set up some SNMP program but really don't want to give up the Sniffer.
> I'm wondering if anyone else has gone through this and how they still
> incorporate the Sniffer in the scheme of things.
> Feel free to email me or post a reply. Thanks in advance.
> Jack Klein
> jkl...@post-gazette.com
--
-----------------------------------------------------------------------
Lawrence Baldwin System Management Tech., Inc.
cd00...@mindspring.com 175 5th. Ave. Ste. 2400 NY, NY 10010
Network Analysis Services (718) 995-5542
Hadriel S. Kaplan
On 18 Nov 1996, Eric Ewanco wrote:
> j...@post-gazette.com (jack klein) writes:
> > Right now we are running a shared 10mb ethernet and using Network
> > General's Sniffer for network troubleshooting and monitoring.
> > We plan to move to a switched based network with some 100mb ethernet.
> > I realize that good management software is needed and we will need to
> > set up some SNMP program but really don't want to give up the Sniffer.
> > I'm wondering if anyone else has gone through this and how they still
> > incorporate the Sniffer in the scheme of things.
>
> You need a switch which supports copying switched packets to a monitor port, a
> feature sometimes called frame copy. This feature will be available shortly
> for the Whittaker Xyplex LSP 610 switch engine. It permits you to copy all the
> packets switched to a particular port out another port for monitoring on a
> Sniffer (tm). Without such a feature, of course, you will be unable to see
> traffic which is not destined for the port on which your Sniffer (tm) resides,
> and if you are using a star-wired 100-Base T network, you will be effectively
> unable to do any traffic monitoring without such a feature.
I have seen such a feature on other switches (it's also sometimes called
conversation steering, troubleshooting, and sometimes just monitoring).
My question to Eric (the guy from Xyplex) is, does the switch repeat all
signals to the monitor port, or just repeat frames? That is, are
collisions (jam signals), runts, and other such things repeated to the
monitor port as well? Also, some switches allow you to monitor all the
ports, essentially by having the monitor port be a switched port that
transmits all packets and buffers if too much traffic (this is sometimes
called backbone mode). Does the Whittaker do that?
Also, for both of you, I assume Jack (the guy with the question) has a
10baseT Sniffer. He wants to monitor 100baseT ports with that sniffer.
What will the switch's monitor port do when it has too much traffic on the
100baseT port to copy. (presumeably there's a buffer, but even that can be
overrun)
-Hadriel
-------------------------------------------------------------------------------
| Hadriel Kaplan | Hadriel...@unh.edu | http://wilmot.unh.edu/~hsk |
-------------------------------------------------------------------------------
|IOL (InterOperability Lab) Fast Ethernet Consortium - http://www.iol.unh.edu|
-------------------------------------------------------------------------------
Alan Chapman
jack klein wrote:
>
> Right now we are running a shared 10mb ethernet and using Network
> General's Sniffer for network troubleshooting and monitoring.
> We plan to move to a switched based network with some 100mb ethernet.
> I realize that good management software is needed and we will need to
> set up some SNMP program but really don't want to give up the Sniffer.
> I'm wondering if anyone else has gone through this and how they still
> incorporate the Sniffer in the scheme of things.
Hi Jack,
It looks to me like you've got the following options:
1) Some switches provide a "mirror" port that you can use to copy any
other port's traffic to and hang your analyzer off of that. The problem
with this is you have to manually switch the mirrored port to the
correct one BEFORE the problem happens.
2) You might consider permenately attaching your analyzer (via another
hub, etc.) to the port from the switch to router or server to which most
of the traffic passes. In today's client-server networks you should see
almost everything.
3) In the case of 2) above if the uplink is full duplex, WG will have a
tap for this on the market shortly. Also if it is 100Mb/s you will be
overtaxing your software based analysis tool.
Hope this helps,
Alan Chapman
Wandel & Goltermann, Inc.
Alan Chapman
jack klein wrote:
>
> Right now we are running a shared 10mb ethernet and using Network
> General's Sniffer for network troubleshooting and monitoring.
> We plan to move to a switched based network with some 100mb ethernet.
> I realize that good management software is needed and we will need to
> set up some SNMP program but really don't want to give up the Sniffer.
> I'm wondering if anyone else has gone through this and how they still
> incorporate the Sniffer in the scheme of things.
> Feel free to email me or post a reply. Thanks in advance.
> Jack Klein
> jkl...@post-gazette.com
Hi again Jack ;)
One more option occured to me:
There is a company called LAN Hopper that sells test access switches for
just this sort of thing, essentially a 1 x n switch that will allow you
to switch your analyzer to any port and is controlled via sw over the
network. This is only necessary if your switch does not provide a
mirrored port.
Cheers,
Daniel Wijns
Hi Jack,
Network General has made a good white-paper about this issue.
There are 3 different ways to include the Sniffer in a switched
environment...depending the brand/model of switch used...
Contact Network General at www.ngc.com
Best Regards,
Daniel
!^NavFont02F00D70007QGHHGD8CB9C
--
Daniel Wijns daniel...@club.innet.be
11/19/96 02:51
[ Standard Disclaimer ]
Hadriel S. Kaplan
On Mon, 18 Nov 1996, Peter P. Morrissey wrote:
> c) Some vendors offer "taps" that allow you to tap in to a full duplex link.
> Frontier has this on their RMON probes and there is a company whose
> name I can never remember (I think it starts with sh, something like shimoti,
> sounds like they don't have a very good marketing dept.) that sells a software
> sniffer that comes with a full duplex tap.
Shomiti. They make the Century Tap. They're new and small, but up and
coming. They have a cool hardware-based frame generator, too. There's
another company that makes a tap, but I forget their name right now.
Anyone remember? It's a black one, as opposed to Shomiti's white one.
Same basic size and design, though. (maybe they're made by the same
manufacturer)
Hadriel S. Kaplan
On Mon, 18 Nov 1996, Alan Chapman wrote:
> One more option occured to me:
> There is a company called LAN Hopper that sells test access switches for
> just this sort of thing, essentially a 1 x n switch that will allow you
> to switch your analyzer to any port and is controlled via sw over the
> network. This is only necessary if your switch does not provide a
> mirrored port.
I thought Lan Hopper's switch was just a physical switch that could map
any in port to any out port, but not one in port to 2 out ports. You
would be isolating the devices from the packet switch, because you would
be connecting them to a sniffer instead of the packet switch port. (the
lan hopper is essentially a remote controlled electrical patch panel, no?)
And this would still have a problem with John's 10baseT sniffer sniffing
100baseT traffic.
On the other hand, they (Lan Hopper) also make a software application
called PathMaster which lets you control most switches remotely through a
nice GUI (even a web page, now). This would let you remotely map any port
of the packet switch to another to monitor, instead of having to telnet
into the device and changing config parameters by hand.
Actually - Alan, didn't W&G have a high-impedence tap to snoop with?
I suppose it all depends on how fancy you want to be - if you just have
one switch and a small (physically) LAN, you could just use the repeater
idea and plug a repeater between the device and switch port and plug the
sniffer into the repeater - of course this would only work for 10baseT,
since your sniffer is probably a 10baseT one. (presumeably you already
have repeaters plugged into the 10baseT switch ports and are servicing
multiple devices that way, so you could just plug the sniffer into one of
those repeaters) The downside would be you would have to lug the sniffer
around every time you wanted to sniff a particular segment.
Mitch Strobin
Hadriel S. Kaplan wrote:
>
> On Mon, 18 Nov 1996, Peter P. Morrissey wrote:
>
> > c) Some vendors offer "taps" that allow you to tap in to a full duplex link.
> > Frontier has this on their RMON probes and there is a company whose
> > name I can never remember (I think it starts with sh, something like shimoti,
> > sounds like they don't have a very good marketing dept.) that sells a software
> > sniffer that comes with a full duplex tap.
>
> Shomiti. They make the Century Tap. They're new and small, but up and
> coming. They have a cool hardware-based frame generator, too. There's
> another company that makes a tap, but I forget their name right now.
> Anyone remember? It's a black one, as opposed to Shomiti's white one.
> Same basic size and design, though. (maybe they're made by the same
> manufacturer)
>
> | Hadriel Kaplan | Hadriel...@unh.edu | http://wilmot.unh.edu/~hsk |
> -------------------------------------------------------------------------------
> |IOL (InterOperability Lab) Fast Ethernet Consortium - http://www.iol.unh.edu|
> -------------------------------------------------------------------------------
Hadriel is correct in his statements. Shomiti Systems (www.shomiti.com)
does indeed offer a Tap device to enable monitoring of full-duplex
10/100 links. The product has been shipping since June. Check out the
Shomiti web site for a white paper on how to deploy the Tap (Deploying
LAN Analyzers in 10/100 Ethernet Networks).
Comment to Peter Morriseey - I'll try my best to improve the marketing
department at Shomiti Systems :-)
Regards,
Mitch Strobin
Director of Product Marketing
Shomiti Systems
mi...@shomiti.com
Alan Chapman
Hadriel S. Kaplan wrote:
>
> I thought Lan Hopper's switch was just a physical switch that could map
> any in port to any out port, but not one in port to 2 out ports.
I was thinking it was essentially a pass through device with one test
access port that can be switched to any of the pass through channels,
but I may be wrong (it's happened before ;).
> Actually - Alan, didn't W&G have a high-impedence tap to snoop with?
We used a prototype at INTEROP. It works for 10/100BT, half/full
duplex, and will be shipping early next year (I believe sometime in
January).
Alan Chapman
Wandel & Goltermann
Mike Vislocky
In message <3290F7...@wg.com> - Alan Chapman <acha...@wg.com>Mon, 18 Nov
1996 17:57:25 -0600 writes:
:
:jack klein wrote:
:>
:> Right now we are running a shared 10mb ethernet and using Network
:> General's Sniffer for network troubleshooting and monitoring.
:> We plan to move to a switched based network with some 100mb ethernet.
:> I realize that good management software is needed and we will need to
:> set up some SNMP program but really don't want to give up the Sniffer.
:> I'm wondering if anyone else has gone through this and how they still
:> incorporate the Sniffer in the scheme of things.
:> Feel free to email me or post a reply. Thanks in advance.
:> Jack Klein
:> jkl...@post-gazette.com
Jack:
If you are moving to a "switched based network", you may want to consider how
to use your test equipment to help diagnose problems associated with the
newest and most important network component: the SWITCH.
The best way to test switches is with an analyzer that can simultaneously
monitor multiple ports and show the results in a time correlated display.
That way you can see whether the switch is doing what you think is should be
doing.
You may want to check with NG to see if they offer this capability as an
upgrade to your Sniffer.
Other companies that offer multiple segment analyzers are W&G and GN Nettest.
Michael Vislocky
Network Orange, Inc.
Robert R. Beliveau
A few issues:
1. SNMP/RMON and Sniffers are really complementary products. SNMP/RMON is great for
getting statistical info about your segments. Sniffer type products are great at
drilling down on the specific packets allowing you to see the problem in greater
detail. RMON does have a packet capture ability, but it is not real time, takes LOTS
of bandwidth, and is generally "klunky" to use to capture, decode and troubleshoot
packets/problems.
2. Be careful about embedded SNMP agents in switches though, when utilization gets high,
the datalink switch needs to concentrate on switching packets, and management takes a
back seat. Standalone probes (Like the Forntier Netscout line) will function better than
embedded RMON/SNMP agents in this case.
3. DataCom Systems (like the LAN Hopper) also makes a "matrix switch", and the have one
which can support 10/100 ethernet. This switch allows you to select which port on the
datalink switch you want to look at without having to plug/unplug UTP cables. ***You
need to have a free port on a shared hub on each datalink switch port though*** This is
very useful when you have a datalink switch which does not do any port mirroring
functions, and you want to stay the he** out of the wiring closet.
4. The most recent LAN Magazine has an article on using Sniffers, SNMP, RMON, and network
management platforms in routed, switched and VLAN environments. Very good article -
check it out.
Bob Beliveau
Network General
Tom Graham
> Right now we are running a shared 10mb ethernet and using Network
> General's Sniffer for network troubleshooting and monitoring.
> We plan to move to a switched based network with some 100mb ethernet.
> I'm wondering if anyone else has gone through this and how they still
> incorporate the Sniffer in the scheme of things.
>
Tom Graham
Marc Abrams
On Mon, 18 Nov 1996 18:04:24 -0600, Alan Chapman <acha...@wg.com>
wrote:
>jack klein wrote:
>>
>> Right now we are running a shared 10mb ethernet and using Network
>> General's Sniffer for network troubleshooting and monitoring.
>> We plan to move to a switched based network with some 100mb ethernet.
>> I realize that good management software is needed and we will need to
>> set up some SNMP program but really don't want to give up the Sniffer.
>> I'm wondering if anyone else has gone through this and how they still
>> incorporate the Sniffer in the scheme of things.
>> Feel free to email me or post a reply. Thanks in advance.
>> Jack Klein
>> jkl...@post-gazette.com
>
>Hi again Jack ;)
>
You should check out RMON for managing switched environments. Most
vendors of switches (i.e., Cisco, Cabletron, Bay, 3Com) have embedded
RMON agents in their switches to replace or augment existing Sniffer
functionality in switched environments. For a very good white paper on
the subject, go to our site at:
marc.
Daniel Wijns
Contact your Network General representative and ask for the white
paperabout switched environments...
Best Regards,
Daniel
!^NavFont02F006B0007QGHHG6C0B80
--
Daniel Wijns daniel...@club.innet.be
11/25/96 02:33
[ Standard Disclaimer ]