Network Analysis & Troublshooting Book (Question)

[dfusion]

I'm reading Network Analysis & Toublshooting by J. Scott Haughdahl. Great book so far!

It talks about switched environments and how switches will discard CRC errors, so you network analysis tool may not detect the error packets. It then goes on to talk about special drivers for certain NICs, Sniffer being one of them, and how you can capture these errors. I am fully aware of Sniffer's capabilities, but maybe I'm not understanding the underlying technology of how it all works.

What's the difference of plugging in Sniffer (with special drivers for Xircom) to any switch port on my Big Iron 8000 versus using *any* network sniffing software and using a copper tap, hub in front of the switch port, or port mirroring?

I'm still confused. *sigh*

Just trying to understand the cost justifications and the benefits we gain by using Sniffer versus Ethereal. The users and developers on the Ethereal mailing list point out many things that Ethereal does that Sniffer won't. I understand the bias, as I'm sure it goes the other way too.
Sr. Network Engineer
ArcLight Systems, LLC

http://www.markholloway.com

 

[wybnormal]

What do you gain? a real commercial product with real support and some nice reporting functions. The whole world is a defacto standard of Sniffer so if you want to exchange trace files, you need it in that format. I'm not sure Ethereal can keep up at 100Meg and not drop too many packets..

My personal preference is if you want to save a buck, get etherpeek. If money is not that much of an object, get Sniffer with a normal card... forget the *special* NIC.. it's pretty much useless in a modern switched network.

Many of the cheaper products work fine at lower speeds or small traces. When you have a 50Mbps data stream and 40 meg trace file that you are trying to do things with, it seperates the men from the boys. Also, the number of ID'ed packet formats is important.. ie.. what is radius packet, TFTP and so on. Not all sniffers are equal in that regard and only can tell you about the very common ones.

Building custom filters is Sniffer an Etherpeeks strongest points. Many others can not do this all or do it well. I think Etherpeek is easier in this regard but both can build very complex filters.

MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[roundwaist]

Mark,
It is correct that the switch (regardless of vendor) WILL discard ALL errored frames - but this is not a problem because the amount of physical errors should be very small on a switched environment.
My personal preference is to TAP rather than SPAN because you cannot be absolutely sure whether the switch management software is passing all the frames to the SPAN port and if you SPAN a VLAN - there is a possibilty of bringing down the switch.

Sniffer expertise over Ethereal is the expert capability and the ease of use. Also they do not have a distibuted solution which promotes a more proactive mindset within the IT department.

Hope this helps

 

[tdelliott]

Both Sniffer and Ethereal have good feature. If your question is should I speed the extra money for the special Nic cards I would say no. The switch should give you the physical errors, if you feel the switch is not reporting the errors you can always hub out to verify. I believe the Sniffer is friendlier to the novice user but the real issue is getting familiar with whichever sniffing device you are using. Analysing takes alot of patients and alot of chasing your tail trying to figure out what is really an issue and what is normal network chatter.