Network Managment (packet Analyzer box)
Results 1 to 9 of 9

Thread: Network Managment (packet Analyzer box)

  1. #1
    Member
    Join Date
    Feb 2004
    Posts
    49

    Network Managment (packet Analyzer box)

    To best analyze packets moving accross the network (QoS - error rate, fault managment, ect.) where should I put the box? Does it matter? Can I see all the packets if the node is on any switch? I'm using EtherPeak.

    THanks

  2. #2
    It depends. Does your network consists of any switches? Are they trunked together? Are you running and vlans?

  3. #3
    Member
    Join Date
    Feb 2004
    Posts
    49
    dont know about the virtual lan, many switches, i think they are trunked together with fiber.

  4. #4
    Hmmm...Are you the Administrator of this network? If not, I would suggest that you talk to the admin before you attempt this.

  5. #5
    Member
    Join Date
    Feb 2004
    Posts
    49
    I am the sys admin. When I started writing the IT strategic plan I wanted to impliment Qos, Netmanagment, analysis and security. I'm implementing this in the summer time.

  6. #6
    You may have to do some sniffing on different switches within your network to get the info you are looking for. If it is a switched network and you are running with VLANS, you will miss traffic that does not run across the switch that you have ths sniffer on. Of course you will be able to see all of the traffic, whether it is destinded to you or not, as long as the traffic stays on the switch that you have the sniffer on. Ths also applies to traffic that originates on systems that are on the switch that you have the sniffer on. To monitor outbound Internet I would set the sniffer on the switch that the on the inside (LAN facing) switch. Of course you won't see any traffic that is denied by the firewall. If you want to see that, set up a switch in between your border router and the outside interface of your firewall.
    Another thing you can do in order to get an idea about network utilization and bandwidth is monitor all of the ports on your switches that are in use. I do this with MRTG. The information is passed via SNMP and MRTG creates graphs of bandwidth utilization on a per port basis. All of my gear is Cisco so it was rather easy for me to set up.

    Hope this helps.

  7. #7
    Senior Member
    Join Date
    Sep 2003
    Posts
    500
    Some people put their analyzer on a hub so that all the data has to go through it and thus everything is scanned. However, this method does cause traffic collision.

    If you don't have a hub, then what kind of switches are you using. Some large switches have the option to mirror all the ports to a single port. For more information check out this link on deployment.

    http://www.ethereal.com/faq.html

    go to the line of Using Ethereal, it is a little past halfway down.

    Another option is to put it in between the internet uplink of your main switch and your network. This one is kinda risky because it puts that box at risk, but it is an idea.

    If you don't have any of these options, then your best bet is to put your box near the end of your chain (closest to the red, or internet, zone) and put the NIC in promiscuous mode. Then if you want you could install more Network cards and let them listen on other areas of your network doing the same thing.

    If you want more (and better) help, Stick around and I am sure MsMittens will come along and fix you right up.
    You shall no longer take things at second or third hand,
    nor look through the eyes of the dead...You shall listen to all
    sides and filter them for your self.
    -Walt Whitman-

  8. #8
    Member
    Join Date
    Feb 2004
    Posts
    49
    Thanks for all the great info everyone!!!

  9. #9
    Senior Member
    Join Date
    Dec 2001
    Posts
    291
    You may want to check out www.netoptics.com they have a good range of passive, active, and multiple port taps. Everything from DS3 to plain ole ethernet taps. I've fallen in love with my 10/100 port aggregator tap which actually has a buffer to hold onto traffic during a spike (so your IDS/monitor/sniffer/whatever doesnt get overrun and drop packets).

    snort.org also has tap schematics for the build it yourselfers.... in a larger network with multiple vlan's (or just multiple switches) you may consider going with a multiport IDS/Sniffer system or tap, this will allow you to set up monitor ports on each switch and not waste fabric bandwidth on sending all monitored traffic to one switch and down to one switch port.

    Which reminds me, if your on a switched network you WILL need to use the monitor port or port mirroring functions of the switches to push all traffic to one port.
    ~THEJRC~
    I\'ll preach my pessimism right out loud to anyone that listens!
    I\'m not afraid to be alive.... I\'m afraid to be alone.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •