[Martin Visser <martinvisser99@xxxxxxxxx>]

If you are going to funnel what would be a 1Gbps port into a 10Mbps or 100Mbps then you are going to affect any timing far worse than any port-mirroring. 

All port-mirroring (or VLAN mirroring for that matter) these days is built into the switch ASICs. It will be either a hardware assisted copy of the packet buffer or even better just a copy of the pointer to the same buffer. Latency will be in measured in micro-seconds - and if fact be no different from the standard switching/routing operation.

Obviously if you are mirroring a duplex link you effectively are converting to a half-duplex stream. So if you are mirroring a port say with 500Mbps outbound (TX) and 500Mbps inbound (RX) that is going to become a 1Gbps outbound (TX only) stream on the monitoring port. So I agree there will be some shifting of packets as they are being interleaved. But for the most part is going to only a single packet delay. For a full sized 9000 byte jumbo frame at 1Gbps this interleaving delay is only going to be 72 microseconds (9000*8/10^9). I don't believe there is any one that is going to require a analyse jitter or delay at any thing better than 1 millisecond, which is 10 times this packet delay. (I know there are some stock trading floor applications that are pretty time critical but I doubt delays less than a millisecond are going to be important).

So I would say for the 99% of people and applications port-mirroring is going to be better. You have a lot of a flexibility in being able to turn it on and off with no disruption to the production traffic. You can often mirror 1 or many ports and even whole or multiple VLANs, as well as allowing remote monitoring in some circumstances. Taps either need to be installed during an outage and left in-situ until a further outage can be arranged. Also the taps that I have used require two ethernet ports for monitoring as a tap separates out RX and TX traffic. This probably has the same potential interleaving issues in the wireshark or other sniffer that the port-mirroring will have.

Regards, Martin

MartinVisser99@xxxxxxxxx

On Sat, Apr 10, 2010 at 9:35 AM, Oldcommguy - Tim <oldcommguy@xxxxxxxxxxxxx> wrote:

The Network Critical aggregation 10/100 taps have the best aggregation and time assimilation programs.

 

I have tested them against many of the others and found them to be one of the best.

 

Any TAP is going to be better than a Hub or Switch!!!!

 

Do NOT use a HUB or SWITCH if you want to get full access and real timing for your analysis/monitoring.

 

Read the article here to help you understand this more –

 

http://www.lovemytool.com/blog/2007/08/span-ports-or-t.html

 

If you wait till Sharkfest, there might be some given away by sponsor companies.

 

Also check e-bay, I have seen some good TAPs there for under 100.00 – just 10/100.

 

Have fun  - Tim

 

Tim O’Neill  - The “Oldcommguy™”

B.T. Solutions, Inc.

Phone – 770-640-0809

Website - www.lovemytool.com

e-mail – Tim@xxxxxxxxxxxxxx

Please honor and support our Troops, Law Enforcement and First Responders!

All Gave Some – Some Gave All!

 

 

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Alex Lindberg
Sent: Friday, April 09, 2010 7:13 PM

To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Looking for a portable sniffing-friendlyhub/switch

 

90% of what I do is 100mb/sec.

DataCom also sells 1gig aggregation taps (both Tx and Rx are captured)

--- On Fri, 4/9/10, Ian Schorr <ian.schorr@xxxxxxxxx> wrote:

From: Ian Schorr <ian.schorr@xxxxxxxxx>
Subject: Re: [Wireshark-users] Looking for a portable sniffing-friendlyhub/switch
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Date: Friday, April 9, 2010, 4:20 AM

Do you guys really tend to work with 10/100 links these days?

 

-Ian

On Fri, Apr 9, 2010 at 9:20 AM, Alex Lindberg <alindber@xxxxxxxxx> wrote:

In my work, I use a DataCom SS-100 tap (10/100mb).  Works great.

The use of Ethernet hubs is full of problems including Speed and Duplex issues and port mirroring on an Ethernet Switch does not always work as expected.

While true taps are more expensive that other solutions, if you do sniffing for a living, then they can't be beat.

DataCom: http://www.datacomsystems.com/index.asp

Alex Lindberg
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

 

-----Inline Attachment Follows-----

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

 

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe