If I have my monitor port mirrored (or spanned) to a server port that I'm looking at, and both the server and the monitor port are connected to the same switch at 100full-duplex, why am I seeing so many drops? The server's 100mb connection could not overwhelm the monitor's 100mb connection, right? The drops come in waves of thousands at a time, then it's quiet for a while, then another wave of a few thousand. The utilization on the server port is registering at around 20%. Thanks.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
DSPro Dashboard Drops
- Thread starter 6969
- Start date
AlfSutherland
Technical User
The reason you are seeing drops, is due to the speed of the network connection and the nature of switch mirroring.
1. What you are doing on the switch is spanning 100 FX, onto a 100 HX port! In doing this, the switch buffers the packets and sends them out in a 'uniform stream with the correct inter-frame gap'. (This is not "bursting", but is a similar effect). If it is busy (or it buffer is full) the switch may drop packets to conserve it's proceesing power for its primary purpose.
2. When the switch releases it's buffer the Sniffer may also drop packets (more common when not using a NAI supported NIC), this can be seen in the capture panel.
Alf
1. What you are doing on the switch is spanning 100 FX, onto a 100 HX port! In doing this, the switch buffers the packets and sends them out in a 'uniform stream with the correct inter-frame gap'. (This is not "bursting", but is a similar effect). If it is busy (or it buffer is full) the switch may drop packets to conserve it's proceesing power for its primary purpose.
2. When the switch releases it's buffer the Sniffer may also drop packets (more common when not using a NAI supported NIC), this can be seen in the capture panel.
Alf
- Thread starter
- #3
Why do you say that my monitor port is half-duplex? I've set it for 100full duplex to match the server that I'm monitoring. Is the NIC in the DSPro capable of only half duplex? Despite setting it to full duplex? Also, another thing I noticed is that there are no dropped packets when capturing - only when monitoring on the Dashboard and with the Drops History report. Thank you.
AlfSutherland
Technical User
I believe that you can set the port to 100Mb FX, but the mirrored speed will only be 100Mb Half Duplex. Definitely worth looking into your switches manufacturers documentation on this though!
With regard to Distributed Sniffer, the monitor ports are half duplex. You can set the transport/management port to 100Mb FX, but this will not effect the monitoring or capturing of the unit.
Alf
With regard to Distributed Sniffer, the monitor ports are half duplex. You can set the transport/management port to 100Mb FX, but this will not effect the monitoring or capturing of the unit.
Alf
Hi,
You can only measure Full Duplex with the DSS using the four port Ethernet card or the Full Duplex Pod. So, it does not help to put your switch port on FD as the DSS wil only pick up one side of the conversation when using a normal (Adaptec?) PCI NIC.
And yes, this NIC itself supports FD, but not the combination Sniffer -> NIC
Robert Robert A.H. Wullems
Sniffer University Instructor
SCP / SCE / CNX / MCP
Citee Education
the Netherlands
You can only measure Full Duplex with the DSS using the four port Ethernet card or the Full Duplex Pod. So, it does not help to put your switch port on FD as the DSS wil only pick up one side of the conversation when using a normal (Adaptec?) PCI NIC.
And yes, this NIC itself supports FD, but not the combination Sniffer -> NIC
Robert Robert A.H. Wullems
Sniffer University Instructor
SCP / SCE / CNX / MCP
Citee Education
the Netherlands
Hi Newling,
That is the same story, the Xircom itself supprts FD, but not in combination with the Sniffer. For that you will again need a full duplex Pod. This is the solution to measure FD with a portable Sniffer
Regards,
Robert Robert A.H. Wullems
Sniffer University Instructor
SCP / SCE / CNX / MCP
Citee Education
the Netherlands
That is the same story, the Xircom itself supprts FD, but not in combination with the Sniffer. For that you will again need a full duplex Pod. This is the solution to measure FD with a portable Sniffer
Regards,
Robert Robert A.H. Wullems
Sniffer University Instructor
SCP / SCE / CNX / MCP
Citee Education
the Netherlands
Hi Robert,
thanks for the answer. Is there a way to choose the part of the
monitored port?
For a longer test i monitored the port of the line outgouing of
our net. This line is connected to a 8 mbit router, so the
real speed would (i think) be not the problem.
The counters and values seems all to be possible.
In a next step i will compare the counters of the switch
because the switch counts every direction seperatly.
For European Users: NAI starts a workshop in january 15th/16th in Munich.
Andi
thanks for the answer. Is there a way to choose the part of the
monitored port?
For a longer test i monitored the port of the line outgouing of
our net. This line is connected to a 8 mbit router, so the
real speed would (i think) be not the problem.
The counters and values seems all to be possible.
In a next step i will compare the counters of the switch
because the switch counts every direction seperatly.
For European Users: NAI starts a workshop in january 15th/16th in Munich.
Andi
As Far as i know (don't shoot me on that one) there is not a real way to switch betweenn the A or B side of a FD connection (Sniffer cals them A and B in the decode screen).
The times i measured a FD link with a xircom card, it looked af it was choosen randomly.
Robert Robert A.H. Wullems
Sniffer University Instructor
SCP / SCE / CNX / MCP
Citee Education
the Netherlands
The times i measured a FD link with a xircom card, it looked af it was choosen randomly.
Robert Robert A.H. Wullems
Sniffer University Instructor
SCP / SCE / CNX / MCP
Citee Education
the Netherlands
Hi Robert,
next time i check out if possible this item. (and will report
here).
I see an other chance to catch it; with the dell notebook
i can run two instances of the sniffer in parallel.
Maybe the can show in the right config the full traffic.
greets
Andi
next time i check out if possible this item. (and will report
here).
I see an other chance to catch it; with the dell notebook
i can run two instances of the sniffer in parallel.
Maybe the can show in the right config the full traffic.
greets
Andi
- Status
Similar threads
- Locked
- Question