wireshark-users April 2010 archive
Main Archive Page > Month Archives  > wireshark-users archives
wireshark-users: Re: [Wireshark-users] Looking for a portable sn

Re: [Wireshark-users] Looking for a portable sniffing-friendlyhub/switch

From: Jaap Keuter <jaap.keuter_at_nospam>
Date: Sun Apr 11 2010 - 05:21:07 GMT
To: "oldcommguy@bellsouth.net" <oldcommguy@bellsouth.net>, Community support list for Wireshark <wireshark-users@wireshark.org>

Hi,

It would be great if the collected knowledge in this thread was added
to the Wireshark Wiki. Could any of you do that?

Thanks,
Jaap

Send from my iPhone

On 10 apr 2010, at 22:47, "Oldcommguy - Tim"
<oldcommguy@bellsouth.net> wrote:

> Ok – Great math and I agree that today’s switches are very
> capable, as switches…– Time for the reality – SPAN ports-
>
> 1) do not pass bad frames, long or short frames or any malformed
> packets – Thus no baseline studies
>
> 2) SPAN pots do not pass VLAN tags – Result you do not know whic
> h VLAN a frame came from and also can result in the same packet bein
> g presented twice or more.
>
> 3) SPAN ports change timing – thus if you are doing any RTP stud
> ies, or timing studies, no jitter and differentiated timing.
>
> 4) Maybe a switch can handle switching, which it was made for
> but SPAN is not the priority of a switch and thus issues.
>
> 5) All your math is great and proves that switches can handle
> their job but replication is the lowest priority.
>
> 6) Myself and others have tested several switches (to 10G) cheap
> to the best and found much variation…even the Mfr’s support the
> findings.
>
> 7) I do not even want to discuss RSPAN another whole can of issues
>
> 8) SPAN is acceptable for connection studies.
>
> 9) SPAN is NOT acceptable for CALEA access
>
> 10) SPAN is NOT acceptable for Compliance or
> Audit studies
>
> 11) SPAN capture files can cause issues in
> court cases, reasonable doubt issues
>
>
>
> There are some GREAT switches designed to switch data, they were
> never designed to be full diagnostic access tools. If they were the
> best diagnostic tool at least 9 TAP and 7 access expansion companies
> would be out of business in a minute but they are not because they
> are needed.
>
>
>
> I am not against using SPAN but knowing what and how is important so
> one does not lose sight of the limitations.
>
>
>
> TAPs are reasonable in cost , no line coding (another major issue to
> face and can be the root of many other issues) and with a TAP there
> is no doubt of what you are receiving/monitoring.
>
>
>
> Use what you wish but be aware on the limitations and you will get
> the data you need with accurate timing and no losses.
>
>
>
> I use SPAN once in a while, to see who is connected to whom, but
> when I have to testify or validate security/compliance I will only
> use a TAP for access. And a good one that I know has been tested.
>
>
>
> Reality is Reality – and the above is reality, no way around it…
> sorry.
>
>
>
> I wish everyone Great Success with Less Stress. Let’s end this disc
> ussion – all of the info is out there so those needing to make the d
> ecision can do so. It has been informative for all.
>
>
>
>
>
> Tim O’Neill - The “Oldcommguy™”
>
> B.T. Solutions, Inc.
>
> Phone – 770-640-0809
>
> Website - www.lovemytool.com
>
> e-mail – Tim@oldcommguy.com
>
> Please honor and support our Troops, Law Enforcement and First
> Responders!
>
> All Gave Some – Some Gave All!
>
>
>
>
>
> From: wireshark-users-bounces@wireshark.org [mailto:wireshark-users-
> bounces@wireshark.org] On Behalf Of Martin Visser
> Sent: Friday, April 09, 2010 10:21 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Looking for a portable sniffing-
> friendlyhub/switch
>
>
>
> If you are going to funnel what would be a 1Gbps port into a 10Mbps
> or 100Mbps then you are going to affect any timing far worse than
> any port-mirroring.
>
>
>
> All port-mirroring (or VLAN mirroring for that matter) these days is
> built into the switch ASICs. It will be either a hardware assisted
> copy of the packet buffer or even better just a copy of the pointer
> to the same buffer. Latency will be in measured in micro-seconds -
> and if fact be no different from the standard switching/routing
> operation.
>
>
>
> Obviously if you are mirroring a duplex link you effectively are
> converting to a half-duplex stream. So if you are mirroring a port
> say with 500Mbps outbound (TX) and 500Mbps inbound (RX) that is
> going to become a 1Gbps outbound (TX only) stream on the monitoring
> port. So I agree there will be some shifting of packets as they are
> being interleaved. But for the most part is going to only a single
> packet delay. For a full sized 9000 byte jumbo frame at 1Gbps this
> interleaving delay is only going to be 72 microseconds
> (9000*8/10^9). I don't believe there is any one that is going to
> require a analyse jitter or delay at any thing better than 1
> millisecond, which is 10 times this packet delay. (I know there are
> some stock trading floor applications that are pretty time critical
> but I doubt delays less than a millisecond are going to be important).
>
>
>
> So I would say for the 99% of people and applications port-mirroring
> is going to be better. You have a lot of a flexibility in being able
> to turn it on and off with no disruption to the production traffic.
> You can often mirror 1 or many ports and even whole or multiple
> VLANs, as well as allowing remote monitoring in some circumstances.
> Taps either need to be installed during an outage and left in-situ
> until a further outage can be arranged. Also the taps that I have
> used require two ethernet ports for monitoring as a tap separates
> out RX and TX traffic. This probably has the same potential
> interleaving issues in the wireshark or other sniffer that the port-
> mirroring will have.
>
>
> Regards, Martin
>
> MartinVisser99@gmail.com
>
>
> On Sat, Apr 10, 2010 at 9:35 AM, Oldcommguy - Tim <oldcommguy@bellsouth.net
> > wrote:
>
> The Network Critical aggregation 10/100 taps have the best
> aggregation and time assimilation programs.
>
>
>
> I have tested them against many of the others and found them to be
> one of the best.
>
>
>
> Any TAP is going to be better than a Hub or Switch!!!!
>
>
>
> Do NOT use a HUB or SWITCH if you want to get full access and real
> timing for your analysis/monitoring.
>
>
>
> Read the article here to help you understand this more –
>
>
>
> http://www.lovemytool.com/blog/2007/08/span-ports-or-t.html
>
>
>
> If you wait till Sharkfest, there might be some given away by
> sponsor companies.
>
>
>
> Also check e-bay, I have seen some good TAPs there for under 100.00
> – just 10/100.
>
>
>
> Have fun - Tim
>
>
>
> Tim O’Neill - The “Oldcommguy™”
>
> B.T. Solutions, Inc.
>
> Phone – 770-640-0809
>
> Website - www.lovemytool.com
>
> e-mail – Tim@oldcommguy.com
>
> Please honor and support our Troops, Law Enforcement and First
> Responders!
>
> All Gave Some – Some Gave All!
>
>
>
>
>
> From: wireshark-users-bounces@wireshark.org [mailto:wireshark-users-
> bounces@wireshark.org] On Behalf Of Alex Lindberg
> Sent: Friday, April 09, 2010 7:13 PM
>
>
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Looking for a portable sniffing-
> friendlyhub/switch
>
>
>
> 90% of what I do is 100mb/sec.
>
> DataCom also sells 1gig aggregation taps (both Tx and Rx are captured)
>
> --- On Fri, 4/9/10, Ian Schorr <ian.schorr@gmail.com> wrote:
>
>
> From: Ian Schorr <ian.schorr@gmail.com>
> Subject: Re: [Wireshark-users] Looking for a portable sniffing-
> friendlyhub/switch
> To: "Community support list for Wireshark" <wireshark-users@wireshark.org
> >
> Date: Friday, April 9, 2010, 4:20 AM
>
> Do you guys really tend to work with 10/100 links these days?
>
>
>
> -Ian
>
> On Fri, Apr 9, 2010 at 9:20 AM, Alex Lindberg <alindber@yahoo.com>
> wrote:
>
> In my work, I use a DataCom SS-100 tap (10/100mb). Works great.
>
> The use of Ethernet hubs is full of problems including Speed and
> Duplex issues and port mirroring on an Ethernet Switch does not
> always work as expected.
>
> While true taps are more expensive that other solutions, if you do
> sniffing for a living, then they can't be beat.
>
> DataCom: http://www.datacomsystems.com/index.asp
>
> Alex Lindberg
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>
>
>
>
> -----Inline Attachment Follows-----
>
> ___________________________________________________________________________
 

> Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org
> >
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>
>
>
>
> ___________________________________________________________________________
 

> Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org
> >
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
>
>
>
> ___________________________________________________________________________
 

> Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org
> >
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@wireshark.org?subject=unsubscribe