["Oldcommguy - Tim" <oldcommguy@xxxxxxxxxxxxx>]

Ok – Great math and I agree that today’s switches are very capable, as switches…– Time for the reality – SPAN ports-

1)     do not pass bad frames, long or short frames or any malformed packets – Thus no baseline studies

2)     SPAN pots do not pass VLAN tags – Result you do not know which VLAN a frame came from and also can result in the same packet being presented twice or more.

3)     SPAN ports change timing – thus if you are doing any RTP studies, or timing studies, no jitter and differentiated timing.

4)     Maybe a switch can handle switching, which it was made for but SPAN is not the priority of a switch and thus issues.

5)     All your math is great and proves that switches can handle their job but replication is the lowest priority.

6)     Myself and others have tested several switches (to 10G) cheap to the best and found much variation…even the Mfr’s support the findings.

7)     I do not even want to discuss RSPAN another whole can of issues

8)     SPAN is acceptable for connection studies.

9)     SPAN is NOT acceptable for CALEA access

10)                        SPAN is NOT acceptable for Compliance or Audit studies

11)                        SPAN capture files can cause issues in court cases, reasonable doubt issues

 

There are some GREAT switches designed to switch data, they were never designed to be full diagnostic access tools. If they were the best diagnostic tool at least 9 TAP and 7 access expansion companies would be out of business in a minute but they are not because they are needed.

 

I am not against using SPAN but knowing what and how is important so one does not lose sight of the limitations.

 

TAPs are reasonable in cost , no line coding (another major issue to face and can be the root of many other issues) and with a TAP there is no doubt of what you are receiving/monitoring.

 

Use what you wish but be aware on the limitations and you will get the data you need with accurate timing and no losses.

 

I use SPAN once in a while, to see who is connected to whom, but when I have to testify or validate security/compliance I will only use a TAP for access. And a good one that I know has been tested.

 

Reality is Reality – and the above is reality, no way around it…sorry.

 

I wish everyone Great Success with Less Stress.  Let’s end this discussion – all of the info is out there so those needing to make the decision can do so. It has been informative for all.

 

 

Tim O’Neill  - The “Oldcommguy™”

B.T. Solutions, Inc.

Phone – 770-640-0809

Website - www.lovemytool.com

e-mail – Tim@xxxxxxxxxxxxxx

Please honor and support our Troops, Law Enforcement and First Responders!

All Gave Some – Some Gave All!

 

 

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Martin Visser
Sent: Friday, April 09, 2010 10:21 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Looking for a portable sniffing-friendlyhub/switch

 

If you are going to funnel what would be a 1Gbps port into a 10Mbps or 100Mbps then you are going to affect any timing far worse than any port-mirroring. 

 

All port-mirroring (or VLAN mirroring for that matter) these days is built into the switch ASICs. It will be either a hardware assisted copy of the packet buffer or even better just a copy of the pointer to the same buffer. Latency will be in measured in micro-seconds - and if fact be no different from the standard switching/routing operation.

 

Obviously if you are mirroring a duplex link you effectively are converting to a half-duplex stream. So if you are mirroring a port say with 500Mbps outbound (TX) and 500Mbps inbound (RX) that is going to become a 1Gbps outbound (TX only) stream on the monitoring port. So I agree there will be some shifting of packets as they are being interleaved. But for the most part is going to only a single packet delay. For a full sized 9000 byte jumbo frame at 1Gbps this interleaving delay is only going to be 72 microseconds (9000*8/10^9). I don't believe there is any one that is going to require a analyse jitter or delay at any thing better than 1 millisecond, which is 10 times this packet delay. (I know there are some stock trading floor applications that are pretty time critical but I doubt delays less than a millisecond are going to be important).

 

So I would say for the 99% of people and applications port-mirroring is going to be better. You have a lot of a flexibility in being able to turn it on and off with no disruption to the production traffic. You can often mirror 1 or many ports and even whole or multiple VLANs, as well as allowing remote monitoring in some circumstances. Taps either need to be installed during an outage and left in-situ until a further outage can be arranged. Also the taps that I have used require two ethernet ports for monitoring as a tap separates out RX and TX traffic. This probably has the same potential interleaving issues in the wireshark or other sniffer that the port-mirroring will have.

Regards, Martin

MartinVisser99@xxxxxxxxx

On Sat, Apr 10, 2010 at 9:35 AM, Oldcommguy - Tim <oldcommguy@xxxxxxxxxxxxx> wrote:

The Network Critical aggregation 10/100 taps have the best aggregation and time assimilation programs.

 

I have tested them against many of the others and found them to be one of the best.

 

Any TAP is going to be better than a Hub or Switch!!!!

 

Do NOT use a HUB or SWITCH if you want to get full access and real timing for your analysis/monitoring.

 

Read the article here to help you understand this more –

 

http://www.lovemytool.com/blog/2007/08/span-ports-or-t.html

 

If you wait till Sharkfest, there might be some given away by sponsor companies.

 

Also check e-bay, I have seen some good TAPs there for under 100.00 – just 10/100.

 

Have fun  - Tim

 

Tim O’Neill  - The “Oldcommguy™”

B.T. Solutions, Inc.

Phone – 770-640-0809

Website - www.lovemytool.com

e-mail – Tim@xxxxxxxxxxxxxx

Please honor and support our Troops, Law Enforcement and First Responders!

All Gave Some – Some Gave All!

 

 

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Alex Lindberg
Sent: Friday, April 09, 2010 7:13 PM

To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Looking for a portable sniffing-friendlyhub/switch

 

90% of what I do is 100mb/sec.

DataCom also sells 1gig aggregation taps (both Tx and Rx are captured)

--- On Fri, 4/9/10, Ian Schorr <ian.schorr@xxxxxxxxx> wrote:

From: Ian Schorr <ian.schorr@xxxxxxxxx>
Subject: Re: [Wireshark-users] Looking for a portable sniffing-friendlyhub/switch
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Date: Friday, April 9, 2010, 4:20 AM

Do you guys really tend to work with 10/100 links these days?

 

-Ian

On Fri, Apr 9, 2010 at 9:20 AM, Alex Lindberg <alindber@xxxxxxxxx> wrote:

In my work, I use a DataCom SS-100 tap (10/100mb).  Works great.

The use of Ethernet hubs is full of problems including Speed and Duplex issues and port mirroring on an Ethernet Switch does not always work as expected.

While true taps are more expensive that other solutions, if you do sniffing for a living, then they can't be beat.

DataCom: http://www.datacomsystems.com/index.asp

Alex Lindberg
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

 

-----Inline Attachment Follows-----

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

 

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe