protocol analyzer for a switch

Network monitoring/snooping used to be soooooo easy. Nortel's port mirroring can be a pain to setup with .1q in involved, and multicast traffic will still not get mirrored, at least not in versions of code that I have seen.

I would recommend purchasing a little 'pocket' hub that you can drag with you. Jack the segments through the hub, and place the snooping device on the hub. There are still caveats of course...

-mike

Reply to
Michael Roberts
Loading thread data ...

No sniffer can analyze packets it can't see. Some switches can be configured to monitor a port, but that's about all.

Reply to
James Knott

I'm told some cheapo stuff with a "hub" badge is really a switch :-(.

ebay has 'em real cheap.

Reply to
Al Dykes

Can anyone tell me if there is a packet sniffer out there (preferebly a free one) that can analyze the network through a switch?

Right now we use ethereal, but we have to plug it into a regular hub, then into the network switch to see the broadcast packets.

Anyone?

Reply to
CJ

:> Can anyone tell me if there is a packet sniffer out there (preferebly a :> free one) that can analyze the network through a switch?

:> Right now we use ethereal, but we have to plug it into a regular hub, then :> into the network switch to see the broadcast packets.

:No sniffer can analyze packets it can't see. Some switches can be :configured to monitor a port, but that's about all.

Expanding a little on James' answer:

It's relatively common on managed switches to offer a port "mirroring" feature, which copies port traffic to a different location. Nortel calls it mirroring; Cisco calls it "SPAN" if the data is sent to a local port, "RSPAN" if the traffic is sent remotely.

The selection criteria for this copying vary greatly between manufacturers and models; for some it copies everything always; others allow you to be selective with criteria such as source port, source IP, destination port, destination IP, protocol, or VLAN tag [e.g., the Nortel Baystack 470 can select based upon most of these.]

In some switches, the destination port the traffic is being copied to is isolated from everything else and will -only- transmit the copied data. On other switches [the Nortel Accelar 1100/1200 series are the only ones that come to mind] the destination port can still be used for regular traffic, thus making it easier to monitor through the network.]

Different switches also differ on two other important features: whether VLAN tags get stripped off; and whether the original source MAC address of the packet is preserved or if the original source MAC is replaced with the MAC of the egress port of the switch.

I ran across some switch literature a couple of months ago for a model which required that one set the egress port to match the VLAN # of the port to be monitored, and the VLAN tag always got stripped out. Monitoring a complete trunk was not possible on that device.

With regards to software: Fluke Networks "Network Inspector" has an option (I think it might be extra cost) of a "Port Mirroring Wizard" which knows about several different models of switches and how to configure them to send traffic along to be monitored. I have never played with that feature myself as I don't have redundant links for management purposes so activating mirroring would cut off the network.

Reply to
Walter Roberson

You can flood the switch with (faked) arp-packets causing the switch to act like an hub, but this will definetly influence any attempt to do some troubleshooting.

Jens

Reply to
Jens Link

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.