switch requirements for sniffing ?

[hellbeach]

Hello everyone
I´m thinking about buying a sniffer (NAI or NetworkInstruments Observer) for our organization to get a better picture of the network traffic but I have a question:

At the moment we have a 100 Mbit switched network (no management on switches), do I need some special kind of switches to be able to monitor the network traffic ?

I ran an evaluation copy of NetworkInstruments Observer and when I tried looking at the "Total bandwidth utilization" I didn´t get any readings, unless I used the network on the computer I had installed NI Observer on. I suspect I need a switch which supports port mirroring, is this correct ? could you recommend a hp procurve or 3com switch ?

/Dan

 

[vipergg]

A sniffer on a unmanaged switch won't do you much good , you need to be able to span the ports to be able to look at data flows . the switch must support this and must be managable . If you do get a analyzer , observer is going to be a lot less $$$$$ than an equivalent Sniffer product .

 

[hellbeach]

ok, could you recommend a switch so I can look at the specifications of that switch so I know what kind of switch I´m looking for ?

 

[hellbeach]

I´ve been looking around on switches for a while now.

You mentioned that the switch must be able to span ports, is this the same as a switch which supports "Spanning Tree (IEEE 802.1d)" ??

If not, what in the specifications on a switch should I be looking at for it to work ?

 

[wybnormal]

No, spanning tree is not "spanning" for a sniffer. It is a unfortunate way of saying that you want to "mirror" a port or a VLAN. Spanning tree is a protocol that lets switches decide who is the root switch and which ports to use to connect all the other switches and prevent a data loop among them.

In order to get a switch that will give you the ability to mirror a port, you will need to pay more then just a basic switch.

Here is a "noname" switch for a cheap price that gives VLANs and port mirroring

http://www.provantage.com/buy-22088...tch-fs7000-series-ethernet-smart-shopping.htm

Of course, you can pay more and get a 2950 Cisco

MikeS


Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[phaelon56]

Yes... Cisco chose and unfortunate acronym when they called their port mirroring Switch Port Analyzer of SPAN. The confusion with Spanning Tree is a common mistake.

If you have a small network and the primary connections of interest are 100 baseT HALF duplex (e.g. connections to key users, servers, switch to switch connections etc).... you can use cheap pocket hubs to sit in the links and attach thee Sniffer to those. It's also possibel to feed those hub connections into a resource sharing matrix switch, such as those offered by Net Optics or Datacom Systems and move from one connection point to another remotely by way of software. This approach has an obvious advantage in some instances but does require that you have either a Distributed product or that you utlize proxy software such as VNC or remote desktop to control the tools.

In the event you decide to utilize this approach, be careful about which pocket hubs you use - many are labeled as hubs but are actually mini-switches and are not real shared media devices.

Owen O'Neill
Datacom Systems Inc.
Northeastern SE

http://www.datacomsystems.com

 

[wybnormal]

This is true.. the Linksys "hubs" are mostly switches that have the management disabled. NetGear has a great little hub and so does Hawk.

MikeS

Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[patrckb]

The model of hub you want is a Netgear DS hub. (see

http://www.netgear.com/products/hubs/dualspeed.php)

They are true hubs and you will see all packets going to every port.

Patrick

Patrick Bartkus, CCNP, CNX, SCM Sr. Network Engineer
GA Dept of Labor IT Network Services
If truth were not absolute, how could there be justice?