Sniffing gigabit ethernet? 1000baseT LAN taps?
M D L
41magnum at liberty.eprci.com
Tue Apr 15 22:09:13 EDT 2014
There's no need to muck with iptables to make two ports into a switch. This is done using a bridge interface. Network Manager will even let you create a bridge (including running spanning tree) for any ports on the system. Might not have the lowest latency of a dedicated hardware switch, but if traffic is only over a LAN shouldn't be noticeable. Just add wireshark.
I do have a Cisco SG300 managed switch on my home network. Offers both command line, and web GUI for management. Similar enough to Cisco IOS that anyone who's used that should be comfortable. Good specs on a lower cost switch and most of the features of the Cisco Catalyst enterprise switches.
On Tue, 15 Apr 2014 12:43:16 -0400
Tom Buskey <tom at buskey.name> wrote:
> For gigabit, there's no such thing as a hub.
>
> You need a managed switch so you can create a mirror port. Netgear makes
> an 8 port one that's ~ $100. I think they have a 5 port version too. It
> can also do vlan, 802.3ad (bond/trunk 2 ports together for faster
> throughput)
>
> Splice the switch into your server & mirror to your sniffer port. Run
> wireshark, tcpdump, snoop (Solaris?) on that port. Filtering will probably
> be needed so you can keep up.
>
> If you don't have a switch, you might be able to take a PC with 2 network
> ports and muck with iptables to make it into a switch. You'll spend more
> in labor then on the switch.
>
>
>
>
> On Mon, Apr 14, 2014 at 7:21 PM, Richard Kolb II <richard.kolb at gmail.com>wrote:
>
> > whatever happened to just plain old snoop?
> >
> >
> > On Mon, Apr 14, 2014 at 5:44 PM, Kevin D. Clark <kevin_d_clark at comcast.net
> > > wrote:
> >
> >>
> >> Joshua Judson Rosen writes:
> >>
> >> > "Michael ODonnell" writes:
> >> > >
> >> > > I don't know what your situation is but if there's a managed
> >> > > switch involved I believe that some of them can be rigged to
> >> > > echo traffic to one or more specified ports for analysis/debug.
> >> >
> >> > Mm. Good point. I don't think I have any managed switches on-hand;
> >> > any recommendations as to what I should get, if I go that route?
> >>
> >> The feature you'd want here is commonly called port mirroring or port
> >> spanning.
> >>
> >> More info here:
> >>
> >> http://wiki.wireshark.org/CaptureSetup/Ethernet
> >>
> >>
> >> I do have a small word of advice: it is generally useful when
> >> capturing traffic for analysis to come up with some sort of "capture
> >> filter" that limits the amount of traffic that you're going to end up
> >> with. On a really busy link, this can make it a lot easier to analyze
> >> the traffic at a later time.
> >>
> >> Regards,
> >>
> >> --kevin
> >> --
> >> alumni.unh.edu!kdc / http://kdc-blog.blogspot.com/
> >> GnuPG: D87F DAD6 0291 289C EB1E 781C 9BF8 A7D8 B280 F24E
> >>
> >> And the Army Ants, they leave nothin' but the bones...
> >> -- Tom Waits
> >> _______________________________________________
> >> gnhlug-discuss mailing list
> >> gnhlug-discuss at mail.gnhlug.org
> >> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
> >>
> >
> >
> >
> > --
> >
> > Richard Kolb II
> >
> >
> > _______________________________________________
> > gnhlug-discuss mailing list
> > gnhlug-discuss at mail.gnhlug.org
> > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
> >
> >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: not available
Url : http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20140415/31839fa8/attachment.bin
More information about the gnhlug-discuss
mailing list