Hi people! A some days a go, I d 3

[douglas767]

Hi people!

A some days a go, I do troobleshooting on a customer, and this customer don´t have swithes capaples do make mirror or spanning three and don´t are manageable. I talk with a tecnician of NAI and he give me a litle box with 3 or 4 conectors, this box was capable to split the connection from server to swith and let me get my captures.

I like to know how this box works, and if is easy to hands made.

Thanks

Douglas

 

[rwullems]

Nice desciption. This can be as simple as a hub when using a half duplex connection. When uding full duplex, the NAI technician probably provided you with a Full Duplex Pod for the sniffer. This is a hardware solution from NAI that makes it possibel to capture full duplex traffic with sniffer. You can put this pod "on the line" in the so called pass trough mode.

Info about the full duplex pod can be found on the NAI website. It contains its own memory and processor and some possibilities to set filters in te pod to.
Robert

Robert A.H. Wullems
Sniffer University Instructor
SCM / CNX / MCP
Citee Education
the Netherlands

 

[AlfSutherland]

Hi Dougals,

You might of also been supplied a "Full Duplex Tap". These devices are made by a company called "Netoptics" (

http://www.netoptics.com),

but are available from NAI (speak to your NAI account manager or reseller). They allow you to "tap" between two "full duplex" devices (switch/server in your instance).

All the taps feature passive-link integrity, enabling the network to operate at a continuous flow regardless of whether power is available to the Tap or whether network monitoring devices are on or off. Network traffic flows uninterrupted through the passive Tap, even if power is lost.

Using Taps allows a network manager to connect and disconnect the LAN Analyzer at any time, without disrupting the traffic on the network. Leaving the TAP in-line ensures that the integrity of the network traffic is not interfered with at any time. The line Tap will not affect the integrity of the signal. Allows full-duplex monitoring of network traffic with LAN analyzers without interrupting data traffic.

Leave the 10/100 BaseT Tap inline and connect analyzers as needed. This model comes with two (2) network and two (2) monitor ports. Port#1 and Port#2 are connected to users network and the monitor ports are connected to Network Analyzer(s). Each monitor port monitors data in one direction.

There are also fibre taps (known as splitters - as their light based), available for ATM, gig etc links.

Alf

 

[rwullems]

Hi Alf,
Your correct about the tap, but is it true that you need two sniffers to measure FD traffic on a tap? Otherwise you still need one sniffer and the FD POD from NAI to make a complete setup.

Another solution is specially for the DSS, the four port Ethernet PCI Card wich makes it possible for a DSS to measure FD without the FD POD.
Regards,
Robert

Robert A.H. Wullems
Sniffer University Instructor
SCM / CNX / MCP
Citee Education
the Netherlands

 

[AlfSutherland]

Robert,

For your reference the Full Duplex Pod has been dicontinued, which is a shame, but it wasn't the most reliable of kit I've seen!!

For portable Sniffing, the only Sniffer solution now is the Full Duplex card in a Dolch!

Alf

 

[rwullems]

Hi Alf,

Are you sure? Did not hear anything yet about the FD being canceled. If i look in the EOL file the FD pod should still be there:

POD-FEDC-NA-100 n/a n/a Fast Ethernet Full Duplex Pod

This file was updated on 19 March 2003. Anyhow, i will ask some NAI SE's that i will meet next week.
Thanks for the information, no i have something to think about in the weekend. If it is really canceled, that would be bad. I agree it was not a good POD (We had a lot of troubles with some customers about it), but it was the only portable solution to use with a laptop.
Lets see what will happen next; you will be forced to buy a Dolch Flexpack???????
Regards,
Robert

Robert A.H. Wullems
Sniffer University Instructor
SCM / CNX / MCP
Citee Education
the Netherlands

 

[AlfSutherland]

Hi Robert,

An exstract from a NAI internal newsletter dated 10th Feb 2003;
The Full Duplex Ethernet Pod (POD-FEDC-NA-100) will be withdrawn from price list effective April 1, 2003.

Alf

 

[laobancha]

It might be stupid question to ask you that
what if i do port mirroring on a switch from 100 full-duplex port to the monitor port attached Sniffer Pro laptop with CBE2 NIC
and then analyze network traffic?

bar

 

[rwullems]

You will see all the traffic, but it won't be FD anymore. A SPAN / Mirror port is as far as i know always HD (downstream to your Sniffer).
So the switch will combine the two channels from the FD link to a HD channel to your SPAN / Mirror port.

This is alwyas trikky, you will never know what your switch will pass and what not, and think about Delta times....., and what will happen to the original frame sequense; Theoritical there can be two frames at the same time on the FD link, one on the recieving side and one on the sending side (There are some nice slides here in one of the Sniffer University classes).

So to keep it short, you will (probably) see all the traffic, but the behavioure is different then on the FD link.
Robert


Robert A.H. Wullems
Sniffer University Instructor
SCM / CNX / MCP
Citee Education
the Netherlands

 

[wybnormal]

And this thread also holds true for an NIDS solution. Mirroring is not the best solution, the tap works better. And to carry it a bit further, you can use the Sniffer as a IDS with the right filters

MikeS


Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[douglas767]

Hi,

Thanks a lot for every one, I take a large expertise with this thread, I follow the path contacting my NAI territory Manager and they send me a "Full Duplex Tap", and I do my job. I found the problem and my boss are very HAPPY!!!

Thanks for every one! Including the people that send the post not related, because doing me a think a bit.

Douglas

 

[rwullems]

nice to hear douglas
Regards,
Robert

Robert A.H. Wullems
Sniffer University Instructor
SCM / CNX / MCP
Citee Education
the Netherlands

 

[portable]

Guys,
Sorry for the late response, but I think Sniffer Distributed 4.3 now supports the FDX card as a replacement to the FDX pod.
Check out the ReadMe posted by Alf in another thread or visit the Sniffer Distributed web site.
Portable.

 

[phaelon56]

Lots of good information here. The informal internal announcement that the FDX Pod was no longer to be available was disemminated in the US market several months ago.

Distributed v4.3 does in fact support FDX and there is a specific card being offered for it. if you already have an ET05 in hand (multi card Ethernet Sniffer with four monitor cards) there are special drivers available that bind the first two cards together so that they function as a dual receive FD NIC.

The question of identical delta times is an interesting one and I don't know of any solution short of appropriate analyzer intelliegence that address this one.

I would be remiss if I failed to mention that my employer also offers a full duplex copper tap identical in functionality to the NetOptics product. Something we also offer for the Distributed Snifefr that is not available from them is an in-line matrix switch that combines sixteen fault tolerant passive copper FD taps into a 1.75" high chassis. It allows the user to share a single FDX Distributed Sniffer among mutliple links and switch among them remotely from within the Sniffer Console software. please note that this product DOES not support the old FDX pod that has been discussed here - it is specifically targeted at products with true dual receive NIC's and native FD support.

Many people are doing analysis of FD links through SPAN ports and although it's a necessary evil.... it's best to remain ware of the limitations:

You can send a copy of the FD traffic but as Robert so aptly pointed out, the SPAN/Mirror port is half duplex by nature. Even if you could configure it as FD, it's still doing "send-only" to the Sniffer NIC, which is "receive-only" in promiscuous mode. The important thing to remember is that a SPAN port can never send more than 100mbs and a FD link has a theoretical capacity of 200mbs. It's easy to oversubscribe it if trying to SPAN a very busy link (or links). You will NOT be notified of the dropped packets and there is no retransmission (you could check the MIB at port level on the Ethernet switch and compare it to the packet count on the trace file but few peopl have the time to do this.

Also.... layer 1 and 3 errors are NOT propogated by SPAN ports - they are discarded at port level. Few of us spend time chasing down jabbering NIC's these days and cabling infrastructures are more reliable and robust than ever but CRC errors are still a fact of life on networks and a high level of them implies that lots of retransmissions are going to be occurring, potentially slowing down the network. On a large, well instrumented network that has good management platforms in place (Concord, Lucent, HP Openview etc) you may already have a way to be notified of such instances but in smaller organizations it's critical to keep track of them. SPAN port connectivity for analysis is a necessity for most of us but placing taps in a few key locations may be very helpful.


Owen O'Neill
Datacom Systems Inc.
Northeastern SE

http://www.datacomsystems.com

 

[AlexTovar]

Hi Owen:

You mentioned something about special drivers available in order to bind together two card to do FD Sniffing, are they the ones included with Sniffer ? How do I make the bind ?

Thanks

Alex.

 

[AlfSutherland]

Hi Alex,

To do Full Duplex Sniffing, with either the ET05 (4port Ethernet unit), or the FD (2 port card Ethernet unit), there is an icon in the "Control Panel", labelled "Adaptec". If you open this up you can group interfaces together.

With the ET05, as there are 2 PCI cards in the unit, the monitoring card and the "Tapping" card (1 is has 4 ports and the other has 5 ports) you need to use the supplied 4-to-1 cable (the official name of it escapes me!). For more information see the v4.2 or v4.3 Install Guide, as its easier than me explaining it.

Alf

 

[AlexTovar]

Alf:

Are the instructions to install this 4-to-1 cable ? you may be sure I'm going to read all this manual, as soon as I have it, of course.

I had seen that icon but I didn't pay attention to it until now.

Many thanks for your help !

Alex.

 

[portable]

Couldn't you just use the new Distributed topology 'EFD1' to do full deplex analysis...?

 

[phaelon56]

"Couldn't you just use the new Distributed topology 'EFD1' to do full deplex analysis...?"

Yes.... that's the best solution but many people already have ET05 platforms on hand that can now be adapted to use as a full duplex analyzer.


Owen O'Neill
Datacom Systems Inc.
Northeastern SE

http://www.datacomsystems.com

 

[AlexTovar]

Hi everybody:

About the full duplex card, where can I find info about it ? about its interfaces, for example, or maybe a brichure about it.

Any comment would help.

Thanx Alex.