Wireshark-users: Re: [Wireshark-users] How to capture trafic on fiber going to storage ?

From: Stuart Kendrick <skendric@xxxxxxxxx>
Date: Thu, 29 Sep 2011 12:20:39 -0700
I have one of these tinker toys -- bought it off eBay -- but have never
used it.


In some sense, this is a one-way FC-to-Ethernet bridge.

You configure the Fibre Channel switch to mirror your server's port to a
spare port on the switch (rumor tells me that not all Fibre Channel
switches support port-mirroring).  Plug the Fibre Channel switch into
the FC side of this box, and your sniffer (perhaps a laptop running
Wireshark) into the Ethernet side.

This device then strips off the Fibre Channel encapsulation, replaces it
with an Ethernet frame, and forwards the result to your laptop.
Wireshark has decodes for most of the FC protocol suite, plus SCSI
(which is the dominant if not only application layer protocol running
over Fibre Channel).  [Rumor says that Cisco wrote the FC decodes and
donated them to the Wireshark community.]

Of course, Fibre Channel environments tend to be multi-pathed (can your
server admin shut down one of those paths during your capture?) ... so
you may find need two of these things, capturing at two locations.  And
how you quiesce the server sufficiently so that you're only looking at
conversations relevant to this particular application would be another
challenge.  And I think these things only support 1/2GB FC, not the
newer 4GB+ FC.  And of course, there is room for the box to overflow its
buffers during capture, dropping frames.

If you ever get this to work, do let me know.

Otherwise, rumor says that JDSU has a professional services division,
where an engineer toting an XGig analyzer will arrive at your doorstep,
complete with the expertise needed to wield this beast.

Take all those rumors with salt,



Stuart Kendrick

On 9/29/2011 11:26 AM, J�nos L�bb wrote:
> Hi,
> I have a server and the database is on a fiber attached EMC storage.  The database behaves strangely when asked for complex data not in the cache.  It returns less rows as it should.  I suspect the traffic to the storage via the fiber is interrupted some way or times out.  So I would like to capture that traffic too and merge with the traffic I capture on ent8.  Right now I am capturing the Ethernet traffic via tcpdump and look at it later with Wireshark.  What can I use to capture the fiber traffic on an AIX 5.3 machine ?
> Thanks ahead,
> J�nos
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe