Firewall Wizards mailing list archives
Re: Sniffing on switched network
From: Dave Mitchell <dave () jnsnet com>
Date: Thu, 10 Jan 2002 11:38:06 -0700
I know for a fact that on the 3COM 3300's you can setup a trunk and/or a anaylyzer port (forget the exact name) to do this for each VLAN. But from lots of experiences with these switches, they have trouble enough passing frames during medium to high traffic that doing this will probably reduce the throughput of the entire network. If the customer is willing to spend any money, buy a higher end switch to aggregate trunk ports off of each of these 3300's or 1100's. Then open up a mirroring port off of the top level switch. An Extreme Summit 24, Foundry xxxIron, or Cisco Catalyst 29xx would do this well. ~US $2000+. ie. ----------------- Extreme, Foundry|---Mirrored Port for the IDS or your use. or Cisco Switch | ----------------- | | | | | |------3COM 3300 #1 | |----------3COM 3300 #2 |-------------And so on... This should help (not solve) with bottlenecking on the 3300's, by offloading all of the frame duplicating to the higher end switch. Then you will be able to see more frames that you would by making the 3300's or 1100's do the mirroring. Just an idea. -dave On Wed, Jan 09, 2002 at 03:00:09PM -0800, Lup-Houh Ng wrote:
Eh, tough. If you have to work within the constraints of the switches, then this is what I'd suggest: 1. Recognize the fact that you'll probably not see all the traffic, unless all the switches are replaced with hubs. Even if you can mirror all ports on the switches/VLANs, some frames will still be dropped from the analyzing /mirroring port if the traffic load is high. 2. Take a step back and ask what it is that you really need to see, and try to sniff the port thru which most of those traffic will flow e.g. if there is problem between two different network segments then sniff the router or the firewall that sits between these two segments. 3. Assuming that the traffic pattern is pretty consistent thru time, sniff the ports one-by-one and then try to piece the whole picture together. (Yeah, I know, tedious. But if this is what it takes to get the job done ...) 4. You can also try stunts like connecting all the analyzing /mirroring ports on each of the switches to a hub and sniff from there. At the least, you get to see more than one port. :) rgds --- lup houh --- Pierre-Yves BONNETAIN <bonnetain () acm org> wrote:Hello you all, and (first of all) a very happy and secure new year. Well, as secure as possible. I am currently working on some "pathologic uses" of one customer's network. In order to get a proper snapshot of what is happening on this network, I need to sniff packets. He is using 3Com Superstack switches (3300 and 1100), stacked into a single switch through back-panel cables. I am used to HP switches, and those have one interesting feature to duplicate all trafic going through the switch, whatever the port it comes from, to a specific port (where I can hook up my analyzer). As far as the Suparstack are concerned, it seems it can only to this for one port (and not for all ports of the switch), and the "monitored" port and the "analyzing" one must be on the same physical switch. Has anyone of you met this kind of need/switches config ? How did you solve it (other than changing switches to hub, which could be done in a last resort but I would prefer not to touch the physical components if possible) ? Thanks, -- -+-+ Pierre-Yves BONNETAIN Consultant Internet/Sécurité --- B & A Consultants Tel : +33 (0) 563.277.241 - Fax : +33 (0) 563.277.245 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards__________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Sniffing on switched network Pierre-Yves BONNETAIN (Jan 09)
- Re: Sniffing on switched network Lup-Houh Ng (Jan 09)
- Re: Sniffing on switched network Dave Mitchell (Jan 11)
- Re: Sniffing on switched network Lup-Houh Ng (Jan 09)