Protocol Analyzer 3

[networkstudent]

Hi Everybody!

I have a HP 4972A protocol analyzer, with the tcp/ip interpreter, stats and so, does any of you knows if it works on a switched enviroment and how?

I've connected to my home lab but it has a baystack 303 switch and there's almost no traffic displayed at the analyzer's traffic monitor.

Any help?


Thaks

Jose

 

[jimbopalmer]

You know it is amazing, but I just happen to have the PDF of the baystack 303 manual open, page 62 where it talks about Conversation steering, so you can monitor a ports traffic from another port, I bet that will help! (page 104 was very clear)

User Guide

http://www25.nortelnetworks.com/library/tpubs/pdf/switches/bstack/303and304/9301010B.PDF

I tried to remain child-like, all I acheived was childish.

 

[sparkbyte]

Well this is a good and common question. I used to teach a networking course the DeVry a few years ago, and would have students figure this one out.

But here is your answer as to why you don't see any traffic on the Baynet switch with your analyzer.

On a network switch (not a Hub/Repeater) packets are not passed from one port to another "unless" that traffic is sent to a known network or device on that port. Also most switch configurations will block broadcasts from beeing sent to all ports to prevent network saturation as well.

Now that we know what the switch is doing we need to tell it to NOT do that for one port.

In the manual for the Switch you need to locate how to set a port to "permiscuos" mode. This tells the switch to send ALL traffic passing through the switch to this port so that traffic can be monitored for security and/or LAN/WAN diagnostics.

O.K now that I have looked at the Docs. Your switch calls the "Conversation steering". This allows you to configure the switch so that it MIRRORS the traffic of ONE port to another for monitoring. Now lets say the switch is connecting two segments with multiple computers on each segment and we need to see all the traffic from both segments.

By default you will have to monitor one segment then te other seperatly. We should be able to setup a temporary VLAN with in the switch and place both/all the segments we need to monitor at once in the new VLAN and then MIRROR the traffic from one of the ports assigned to the VLAN to our "monitor" port and see all traffic.

I hope this help out

 

[narnian]

SparkByte has some incorrect information here -->

1."On a network switch (not a Hub/Repeater) packets are not passed from one port to another "unless" that traffic is sent to a known network or device on that port.".

In fact, if a switch (or a bridge) receives a frame with a destination address which it *has not* learned, it will forward it out all ports (except the one it receives it from). It does this because otherwise connectivity between two end stations might never occur. Normally of course, an end station will broadcast say an ARP. Thus the switch will learn, from the source address, on which port an end station lives. Once it has learned this, only then will it know to forward packets for that destination address just to that port.

2. "Also most switch configurations will block broadcasts from beeing sent to all ports to prevent network saturation as well."
No switches I have used (and I have used *every* vendor - Cisco, Nortel, 3Com, Digital, Xylan, Cabletron ...) do this by default. In the last few years switches have had capability to limit broadcasts, usually to a certain rate, say 100 per second, to limit the effect of a storm of broadcast packets. Others will shut a port for a period of time, it broadcasts exceed a certain level. Certainly some switches can filter out packets by address, hence could block all broadcasts, but this must be explicitly configured, and is *never* by default. (If you did block broadcasts within a network, most protocols would break. Broadcasts are used legitimately in LANs to discover services that are offered by the network. Broadcasts usually become a problem if poor choices are made for protocol deployment, misconfiguration, or sometimes equipment malfunction)

Also if you use VLANs then broadcasts within a VLAN will be constrained to that VLAN.
There is also a related feature on some switches called IGMP snooping which is used to constrain *multicast* packets only to those ports where end stations have registered. Again this is not normally on by default though.


I know I am sounding pedantic, but it is important to correctly document the exact mechanism by which network equipment operates. Otherwise though of us that are considered to be *gurus* become infact wizards of black magic.

 

[networkstudent]

Thank you all folks!

I know about layer 2 switching, micro segmenting and so, but i've found your explanations very helpfull, the real reason of my question is that i have the network analyzer i've mentioned before (hp), network associated sniffer pro 4.7 and network/protocol inspector from fluke, when i use sniffer i can see all the traffic even when i does not enable port or conversation steering (thanks again by the way, i saw it in the manual but i never realized what it was for 'till now) so i became curious why sniffer works with a switched enviroment without any configuration adjustment and the protocol analyzer does not, maybe it uses snmp?, i think i'll figure it out while keep learning a little more.

Thanks and a well deserved star for all of you!