In my datacenter, I have three Gig links coming in that I am sniffing using passive taps. What I want to do is feed these links into a layer 3 switch so that I can have them sent to different packet analysis boxes by destination address or packet types or ports. What should I look for in a switch for such a use -- something that can take in sniffed traffic on fiber gig links and parcel them out to different servers on copper gig links based on routing rules. Please email me your recommendation or suggestion directly and I will summarize what I find out for the list. Thanks, Patrick A. __________________________________ Do you Yahoo!? Y! Messenger - Communicate in real time. Download now. http://messenger.yahoo.com
Hi Peter, if you are feeding this into a switch you should be able to switch it just like the real traffic.. ie plug your fibers into gbics on whatever switch you want to use, i dont see any special requirements for this application Steve On Thu, 7 Oct 2004, Patrick Arguello wrote:
In my datacenter, I have three Gig links coming in that I am sniffing using passive taps. What I want to do is feed these links into a layer 3 switch so that I can have them sent to different packet analysis boxes by destination address or packet types or ports. What should I look for in a switch for such a use -- something that can take in sniffed traffic on fiber gig links and parcel them out to different servers on copper gig links based on routing rules.
Please email me your recommendation or suggestion directly and I will summarize what I find out for the list.
Thanks,
Patrick A.
__________________________________ Do you Yahoo!? Y! Messenger - Communicate in real time. Download now. http://messenger.yahoo.com
On Thu, Oct 07, 2004 at 09:43:47PM +0100, Stephen J. Wilcox wrote: [switching/routing traffic from a passive tap]
Hi Peter, if you are feeding this into a switch you should be able to switch it just like the real traffic.. ie plug your fibers into gbics on whatever switch you want to use, i dont see any special requirements for this application
I have no practical experience on that, I always used the monitor directly on the Tap, but I see a theoretical problem: Where does the switch switch it to? The Target MAC of the packet coming from the Tap will be still pointing to the device in the production network. The switch in the management network will not know where to switch it to, as there is no device with the same mac in his ARP table. If you want to route it you will run into the same problem: The copied ethernet frame is not addresses to the router in the monitoring network, so it will not accept the Ethernet frame. Maybe you could do something with faking the MAC on the router in the monitoring network to be the same as the MACaddress of the target in the production network, but it feels like a dirty hack. Or am I missnig something obvious here? Nils
On Fri, 8 Oct 2004, Nils Ketelsen wrote:
On Thu, Oct 07, 2004 at 09:43:47PM +0100, Stephen J. Wilcox wrote:
[switching/routing traffic from a passive tap]
Hi Peter, if you are feeding this into a switch you should be able to switch it just like the real traffic.. ie plug your fibers into gbics on whatever switch you want to use, i dont see any special requirements for this application
I have no practical experience on that, I always used the monitor directly on the Tap, but I see a theoretical problem: Where does the switch switch it to? The Target MAC of the packet coming from the Tap will be still pointing to the device in the production network.
statically configure your mac to spoof that of the real interface.
If you want to route it you will run into the same problem: The copied ethernet frame is not addresses to the router in the monitoring network, so it will not accept the Ethernet frame.
again just duplicate the ip address
Maybe you could do something with faking the MAC on the router in the monitoring network to be the same as the MACaddress of the target in the production network, but it feels like a dirty hack.
Or am I missnig something obvious here?
ok so you have the same thoughts.. the key point is the original question suggested this 'copycat' network is not connected to the real net, and so long as you dont allow the packets to be routed back into the real net (and hence create dups) you should be fine. Steve
Nils
participants (3)
-
Nils Ketelsen -
Patrick Arguello -
Stephen J. Wilcox