Sniffing in Switch Environment 2

[mien]

Hi,

Correct me if i'm wrong, sniffer has it limitation when come to switch environment.
Now, how can I do a baseline for an environment, let say about 8 switches in a LAN.
What would be the practical approach to have an overall baseline rather than mirroring individual ports.
Assume the switch does not allow multiple spanning.

Another question, why is it that I kept getting just a 10 % utilization distribution from the global statistics of sniffer. Am getting the right info?

thank you

 

[wybnormal]

It gets messy with the switches. You will get the broadcast traffic regardless since a switch acts as a bridge with broadcasts. A better bet is to insert into the backbone or switch to switch connections and run your baselines from there. Some sniffers will let you get the RMON stats from the switch but be warned it can throw a heavy load on the switch.

Mike S
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[fortunat]

I typically use a SNMP/RMON poller, assuming SNMP/RMON is available on that switch.

I like SNMPC (

http://www.castlerock.com),

but also tried What's up Gold version 6 (

http://www.ipswitch.com)

and Network View (

http://www.networkview.com).

All are pretty decent and pulling stats from a device. If the vendor od your switch provides their own poller software, look at that first, since they may have propriatory information that the mentioned software may not report.

As far as what to look for I look for ports that have a high number of errors or even better, a high percentage of errors.

Good luck

 

[mien]

Thank you fir answerubg my question.
Wybnormal,
Could u elaborate on the switch to switch connections?
If the backbone is a switch as well, how do i go about it using NAI sniffer?
And from your experience, how do u minimize the broadcast to the lowest in a switch?

 

[wybnormal]

It can be quite a bit of work to kill off all the extra broadcasts.

kill all unneeded protocols
stay away from protocols like IPX which uses SAPing
stay away from RIP
Kill netbeui on the LAN
correct configure WINS to use directed broadcast first.. it's Hybrid mode if I remember right
Watch out for custom applications that use unwanted protocols OR come on the wire misconfigured ( happens all the time)
Check all printservers for unwanted protocols, HP and Axis are known for enabling the kitchensink by default

If your switches are cascaded.. or "daisy changed", you can inset the sniffer in the link between the two switches to see ALL the traffic on the link going to and from one one of the switches.. or with many switches, they have a high speed GIG or such for a backbone. If you have the proper card/software, you can get in the that link and see everything downstream. You may have to do this in several places but it's doable.

Mike S
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[SpenceP]

With regard to your intrepretation of the Global Statistics screen, you say you are gettings 10% utilisation constantly. Try to think of the GS screen to be a time based screen. IF you are getting 100% of traffic in the first bar it means that since you started the GS screen, 100% of the traffic has been between 0-10% of utilisation.

Spencer Parker
Axial Systems

 

[Elca]

You can deal successfully with Sniffer Full Duplex pod or Shomiti Century Tap or
HP LAN Analyzer Tap. It's eliminates many of the problems commonly associated with
the use of a switch mirror port:

- Switch performance degradation
- Inability to mirror errors such as undersize and oversize packets, and packets with a bad CRC.
- Inability to view VLAN traffic
- Poor full-duplex support

But It also can't handle overall baseline. So you should use a SNMP RMON Monitoring as
posted above such as What's Up Gold, SNMP Utilities.

Hope this helps,

- Elca

 

[mien]

thank you, for the tips.

 

[jkeeper]

Question:

can I use sniffer 4.5 with Shomiti Century Tap or any other hardware to captuer packets or monitor the network?

jkeeper