[PLUG] help with switches

Jason Martin nsxfreddy at gmail.com
Tue Feb 6 02:45:17 UTC 2007


On 2/5/07, Paul Heinlein <heinlein at madboa.com> wrote:
> On Mon, 5 Feb 2007, Carla Schroder wrote:
>
> > Thanks all, this helps. I found a Netgear switch for under $200 that
> > seems to do what I want, so I'll bet there are more in that price
> > range. NetGear ProSafe FS726T 10/100Mbps + 1000Mbps
>
> My understanding (which may be flawed in many ways) is that Netgear's
> "port mirroring" functionality allows you to duplicate the traffic of
> *one* port, not a range of them. That's not a problem, of course, if
> all your uplink traffic passes through a single port.

Actually, unless you are monitoring a port running at a lower speed
than the monitor port (e.g. monitoring a 100Mbps port with a 1Gbps
monitor port), you will have a very good chance of dropping traffic if
you monitor more than one port.  Even a single port of the same speed
cannot be fully monitored if the link is saturated, since most modern
switches run at full duplex.  You would need special tap equipment to
truly monitor a full duplex port, by splitting each direction into two
ports that feed into a machine with two NICs.  You can then use
software such as the Linux channel bonding driver to combine each
direction back into a single stream you could feed to an IDS/IPS, etc.

If you don't do a setup like this, you're banking on the various links
being monitored never being saturated beyond the half-duplex send
buffer of the switch monitor port.  This isn't a great gamble, since
Ethernet traffic (and TCP/IP traffic in general) tends to be fairly
bursty.

Jason



More information about the PLUG mailing list