Ethernet splitters

[Jerry Lundy]

Greetings,

I use both the passive hub and mirrored port solutions in my current network
monitoring.  Unfortunately, solutions that work for low speed half duplex
links 
have problems at higher speeds with full duplex.

Chas DiFatta wrote:
> 
> If you use a Cisco switch and you wish to monitor the link that supplies all
> the traffic (like to/from a router) just set up a spanning port to send
> all tx/rv traffic from the router port to another port where your Argus host
> resides.  We usually use a separate interface for monitoring on the Argus
> host, IP addr 0.0.0.0 to keep in stealth mode.  Other switches may work,
> but we're not familiar with them.  We've been able to monitor at a sustained
> load of 30 Mb/s for hours with this configuration and Argus 1.8.

Not quite.  Full duplex traffic is potentially twice the bandwidth of the receive
lines on a given port, possibly dropping packets.  Spanning multiple switch
ports 
to a single port increases the probability of dropped packets. Spanning and
port 
mirroring become less useful as utilization levels increase.
 
> If you don't have a Cisco, use a 10 or 100baseT hub just in front the
> router.
> Since your only using two ports, i.e. router and switch, monitoring the
> traffic
> on a 3rd port does the trick without any degradation in traffic due to
> collisions.

Substituting a shared hub for a full duplex link effectively halves the 
bandwidth on the link.

Taps provide the visibility of a shared hub while preserving full duplex capability.
Two receiving interfaces on the sensor allow full line speed collection.
If you manage and query the sensor from a separate management interface, the
sniff is
totally unobtrusive.

 
Jerry W. Lundy, CISSP	
The Greentree Group