Re: Looking for a portable sniffing-friendlyhub/switch

[Lee <ler762 () gmail com>]

> 2)     SPAN pots do not pass VLAN tags

All of the Cisco switches I've used do if you configure the span port
as a trunk.

Regards,
Lee


On 4/10/10, Oldcommguy - Tim <oldcommguy () bellsouth net> wrote:
> Ok – Great math and I agree that today’s switches are very capable, as
> switches…– Time for the reality – SPAN ports-
>
> 1)     do not pass bad frames, long or short frames or any malformed packets
> – Thus no baseline studies
>
> 2)     SPAN pots do not pass VLAN tags – Result you do not know which VLAN a
> frame came from and also can result in the same packet being presented twice
> or more.
>
> 3)     SPAN ports change timing – thus if you are doing any RTP studies, or
> timing studies, no jitter and differentiated timing.
>
> 4)     Maybe a switch can handle switching, which it was made for but SPAN
> is not the priority of a switch and thus issues.
>
> 5)     All your math is great and proves that switches can handle their job
> but replication is the lowest priority.
>
> 6)     Myself and others have tested several switches (to 10G) cheap to the
> best and found much variation…even the Mfr’s support the findings.
>
> 7)     I do not even want to discuss RSPAN another whole can of issues
>
> 8)     SPAN is acceptable for connection studies.
>
> 9)     SPAN is NOT acceptable for CALEA access
>
> 10)                        SPAN is NOT acceptable for Compliance or Audit
> studies
>
> 11)                        SPAN capture files can cause issues in court
> cases, reasonable doubt issues
>
>
>
> There are some GREAT switches designed to switch data, they were never
> designed to be full diagnostic access tools. If they were the best
> diagnostic tool at least 9 TAP and 7 access expansion companies would be out
> of business in a minute but they are not because they are needed.
>
>
>
> I am not against using SPAN but knowing what and how is important so one
> does not lose sight of the limitations.
>
>
>
> TAPs are reasonable in cost , no line coding (another major issue to face
> and can be the root of many other issues) and with a TAP there is no doubt
> of what you are receiving/monitoring.
>
>
>
> Use what you wish but be aware on the limitations and you will get the data
> you need with accurate timing and no losses.
>
>
>
> I use SPAN once in a while, to see who is connected to whom, but when I have
> to testify or validate security/compliance I will only use a TAP for access.
> And a good one that I know has been tested.
>
>
>
> Reality is Reality – and the above is reality, no way around it…sorry.
>
>
>
> I wish everyone Great Success with Less Stress.  Let’s end this discussion –
> all of the info is out there so those needing to make the decision can do
> so. It has been informative for all.
>
>
>
>
>
> Tim O’Neill  - The “Oldcommguy™”
>
> B.T. Solutions, Inc.
>
> Phone – 770-640-0809
>
> Website - www.lovemytool.com <http://www.lovemytool.com/>
>
> e-mail – Tim () oldcommguy com
>
> Please honor and support our Troops, Law Enforcement and First Responders!
>
> All Gave Some – Some Gave All!
>
>
>
>
>
> From: wireshark-users-bounces () wireshark org
> [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Martin Visser
> Sent: Friday, April 09, 2010 10:21 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Looking for a portable
> sniffing-friendlyhub/switch
>
>
>
> If you are going to funnel what would be a 1Gbps port into a 10Mbps or
> 100Mbps then you are going to affect any timing far worse than any
> port-mirroring.
>
>
>
> All port-mirroring (or VLAN mirroring for that matter) these days is built
> into the switch ASICs. It will be either a hardware assisted copy of the
> packet buffer or even better just a copy of the pointer to the same buffer.
> Latency will be in measured in micro-seconds - and if fact be no different
> from the standard switching/routing operation.
>
>
>
> Obviously if you are mirroring a duplex link you effectively are converting
> to a half-duplex stream. So if you are mirroring a port say with 500Mbps
> outbound (TX) and 500Mbps inbound (RX) that is going to become a 1Gbps
> outbound (TX only) stream on the monitoring port. So I agree there will be
> some shifting of packets as they are being interleaved. But for the most
> part is going to only a single packet delay. For a full sized 9000 byte
> jumbo frame at 1Gbps this interleaving delay is only going to be 72
> microseconds (9000*8/10^9). I don't believe there is any one that is going
> to require a analyse jitter or delay at any thing better than 1 millisecond,
> which is 10 times this packet delay. (I know there are some stock trading
> floor applications that are pretty time critical but I doubt delays less
> than a millisecond are going to be important).
>
>
>
> So I would say for the 99% of people and applications port-mirroring is
> going to be better. You have a lot of a flexibility in being able to turn it
> on and off with no disruption to the production traffic. You can often
> mirror 1 or many ports and even whole or multiple VLANs, as well as allowing
> remote monitoring in some circumstances. Taps either need to be installed
> during an outage and left in-situ until a further outage can be arranged.
> Also the taps that I have used require two ethernet ports for monitoring as
> a tap separates out RX and TX traffic. This probably has the same potential
> interleaving issues in the wireshark or other sniffer that the
> port-mirroring will have.
>
>
> Regards, Martin
>
> MartinVisser99 () gmail com
>
>
>
> On Sat, Apr 10, 2010 at 9:35 AM, Oldcommguy - Tim <oldcommguy () bellsouth net>
> wrote:
>
> The Network Critical aggregation 10/100 taps have the best aggregation and
> time assimilation programs.
>
>
>
> I have tested them against many of the others and found them to be one of
> the best.
>
>
>
> Any TAP is going to be better than a Hub or Switch!!!!
>
>
>
> Do NOT use a HUB or SWITCH if you want to get full access and real timing
> for your analysis/monitoring.
>
>
>
> Read the article here to help you understand this more –
>
>
>
> http://www.lovemytool.com/blog/2007/08/span-ports-or-t.html
>
>
>
> If you wait till Sharkfest, there might be some given away by sponsor
> companies.
>
>
>
> Also check e-bay, I have seen some good TAPs there for under 100.00 – just
> 10/100.
>
>
>
> Have fun  - Tim
>
>
>
> Tim O’Neill  - The “Oldcommguy™”
>
> B.T. Solutions, Inc.
>
> Phone – 770-640-0809
>
> Website - www.lovemytool.com <http://www.lovemytool.com/>
>
> e-mail – Tim () oldcommguy com
>
> Please honor and support our Troops, Law Enforcement and First Responders!
>
> All Gave Some – Some Gave All!
>
>
>
>
>
> From: wireshark-users-bounces () wireshark org
> [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Alex Lindberg
> Sent: Friday, April 09, 2010 7:13 PM
>
>
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Looking for a portable
> sniffing-friendlyhub/switch
>
>
>
>
> 90% of what I do is 100mb/sec.
>
> DataCom also sells 1gig aggregation taps (both Tx and Rx are captured)
>
> --- On Fri, 4/9/10, Ian Schorr <ian.schorr () gmail com> wrote:
>
>
> From: Ian Schorr <ian.schorr () gmail com>
> Subject: Re: [Wireshark-users] Looking for a portable
> sniffing-friendlyhub/switch
> To: "Community support list for Wireshark" <wireshark-users () wireshark org>
> Date: Friday, April 9, 2010, 4:20 AM
>
> Do you guys really tend to work with 10/100 links these days?
>
>
>
> -Ian
>
> On Fri, Apr 9, 2010 at 9:20 AM, Alex Lindberg <alindber () yahoo com
> <http://mc/compose?to=alindber () yahoo com> > wrote:
>
>
> In my work, I use a DataCom SS-100 tap (10/100mb).  Works great.
>
> The use of Ethernet hubs is full of problems including Speed and Duplex
> issues and port mirroring on an Ethernet Switch does not always work as
> expected.
>
> While true taps are more expensive that other solutions, if you do sniffing
> for a living, then they can't be beat.
>
> DataCom: http://www.datacomsystems.com/index.asp
>
> Alex Lindberg
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
>             mailto:wireshark-users-request () wireshark org
> <http://mc/compose?to=wireshark-users-request () wireshark org>
> ?subject=unsubscribe
>
>
>
>
> -----Inline Attachment Follows-----
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org
> <http://mc/compose?to=wireshark-users () wireshark org> >
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request () wireshark org
> <http://mc/compose?to=wireshark-users-request () wireshark org>
> ?subject=unsubscribe
>
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe