Wireshark-users: Re: [Wireshark-users] Looking for a portable sniffing-friendlyhub/switch
If you are going to funnel what would be a 1Gbps port into a 10Mbps or 100Mbps then you are going to affect any timing far worse than any port-mirroring.
All port-mirroring (or VLAN mirroring for that matter) these days is built into the switch ASICs. It will be either a hardware assisted copy of the packet buffer or even better just a copy of the pointer to the same buffer. Latency will be in measured in micro-seconds - and if fact be no different from the standard switching/routing operation.
Obviously if you are mirroring a duplex link you effectively are converting to a half-duplex stream. So if you are mirroring a port say with 500Mbps outbound (TX) and 500Mbps inbound (RX) that is going to become a 1Gbps outbound (TX only) stream on the monitoring port. So I agree there will be some shifting of packets as they are being interleaved. But for the most part is going to only a single packet delay. For a full sized 9000 byte jumbo frame at 1Gbps this interleaving delay is only going to be 72 microseconds (9000*8/10^9). I don't believe there is any one that is going to require a analyse jitter or delay at any thing better than 1 millisecond, which is 10 times this packet delay. (I know there are some stock trading floor applications that are pretty time critical but I doubt delays less than a millisecond are going to be important).
So I would say for the 99% of people and applications port-mirroring is going to be better. You have a lot of a flexibility in being able to turn it on and off with no disruption to the production traffic. You can often mirror 1 or many ports and even whole or multiple VLANs, as well as allowing remote monitoring in some circumstances. Taps either need to be installed during an outage and left in-situ until a further outage can be arranged. Also the taps that I have used require two ethernet ports for monitoring as a tap separates out RX and TX traffic. This probably has the same potential interleaving issues in the wireshark or other sniffer that the port-mirroring will have.
Regards, Martin
MartinVisser99@xxxxxxxxx
On Sat, Apr 10, 2010 at 9:35 AM, Oldcommguy - Tim
<oldcommguy@xxxxxxxxxxxxx> wrote:
The
Network Critical aggregation 10/100 taps have the best aggregation and time assimilation
programs.
I
have tested them against many of the others and found them to be one of the
best.
Any
TAP is going to be better than a Hub or Switch!!!!
Do
NOT use a HUB or SWITCH if you want to get full access and real timing for your
analysis/monitoring.
Read
the article here to help you understand this more –
http://www.lovemytool.com/blog/2007/08/span-ports-or-t.html
If
you wait till Sharkfest, there might be some given away by sponsor companies.
Also
check e-bay, I have seen some good TAPs there for under 100.00 – just 10/100.
Have
fun - Tim
Tim O’Neill - The “Oldcommguy™”
B.T. Solutions, Inc.
Phone – 770-640-0809
Website - www.lovemytool.com
e-mail – Tim@xxxxxxxxxxxxxx
Please
honor and support our Troops, Law Enforcement and First Responders!
All
Gave Some – Some Gave All!
|
90% of what I do is 100mb/sec.
DataCom also sells 1gig aggregation taps (both Tx and Rx are captured)
--- On Fri, 4/9/10, Ian Schorr <ian.schorr@xxxxxxxxx>
wrote:
From: Ian Schorr <ian.schorr@xxxxxxxxx>
Subject: Re: [Wireshark-users] Looking for a portable
sniffing-friendlyhub/switch
To: "Community support list for Wireshark"
<wireshark-users@xxxxxxxxxxxxx>
Date: Friday, April 9, 2010, 4:20 AM
Do you guys really tend to work with 10/100 links
these days?
-----Inline Attachment Follows-----
|
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
