Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sniffing on switched network

From: Dave Mitchell <dave () jnsnet com>
Date: Thu, 10 Jan 2002 11:38:06 -0700
I know for a fact that on the 3COM 3300's you can setup
a trunk and/or a anaylyzer port (forget the exact name)
to do this for each VLAN. But from lots of experiences
with these switches, they have trouble enough passing frames
during medium to high traffic that doing this will probably
reduce the throughput of the entire network.

If the customer is willing to spend any money, buy a higher
end switch to aggregate trunk ports off of each of these 3300's
or 1100's. Then open up a mirroring port off of the top level
switch. An Extreme Summit 24, Foundry xxxIron, or Cisco Catalyst 29xx
would do this well. ~US $2000+.

ie.
  
-----------------
Extreme, Foundry|---Mirrored Port for the IDS or your use.  
or Cisco Switch |
-----------------
 |  |   |
 |  |   |------3COM 3300 #1
 |  |----------3COM 3300 #2
 |-------------And so on...
    

This should help (not solve) with bottlenecking on the 3300's, 
by offloading all of the frame duplicating to the higher end switch. 
Then you will be able to see more frames that you would by making
the 3300's or 1100's do the mirroring.

Just an idea.

-dave

On Wed, Jan 09, 2002 at 03:00:09PM -0800, Lup-Houh Ng wrote:


Eh, tough.  If you have to work within the constraints of
the switches, then this is what I'd suggest:

1. Recognize the fact that you'll probably not see all the
   traffic, unless all the switches are replaced with hubs.
   Even if you can mirror all ports on the switches/VLANs,
   some frames will still be dropped from the analyzing
   /mirroring port if the traffic load is high.
2. Take a step back and ask what it is that you really need
   to see, and try to sniff the port thru which most of 
   those traffic will flow e.g. if there is problem between
   two different network segments then sniff the router
   or the firewall that sits between these two segments.
3. Assuming that the traffic pattern is pretty consistent
   thru time, sniff the ports one-by-one and then try to
   piece the whole picture together.  (Yeah, I know, tedious.
   But if this is what it takes to get the job done ...)
4. You can also try stunts like connecting all the analyzing
   /mirroring ports on each of the switches to a hub and
   sniff from there.  At the least, you get to see more 
   than one port.  :)

rgds

--- lup houh


--- Pierre-Yves BONNETAIN <bonnetain () acm org> wrote:

   Hello you all, and (first of all) a very happy and secure new year.
Well,
as secure as possible.

   I am currently working on some "pathologic uses" of one customer's
network.
In order to get a proper snapshot of what is happening on this network,
I need
to sniff packets.
   He is using 3Com Superstack switches (3300 and 1100), stacked into a
single
switch through back-panel cables. I am used to HP switches, and those
have one
interesting feature to duplicate all trafic going through the switch,
whatever 
the port it comes from, to a specific port (where I can hook up my
analyzer).
   As far as the Suparstack are concerned, it seems it can only to this
for
one port (and not for all ports of the switch), and the "monitored" port
and
the "analyzing" one must be on the same physical switch.
   Has anyone of you met this kind of need/switches config ? How did you
solve
it (other than changing switches to hub, which could be done in a last
resort
but I would prefer not to touch the physical components if possible) ?
   Thanks,
-- 
-+-+ Pierre-Yves BONNETAIN
     Consultant Internet/Sécurité --- B & A Consultants
     Tel : +33 (0) 563.277.241 - Fax : +33 (0) 563.277.245


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards



__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: