Ethereal-users: [Ethereal-users] Sniffing in a switched network - Taps or Spans

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Dolbow, Bill" <bdolbow@xxxxxxxxxxxxxx>
Date: Fri, 30 Apr 2004 07:39:38 -0400
I am hoping I can get some suggestions on how best to tap/span our network.


We are an all cisco shop and are always running out of TX/RX span ports on
our switches.

Questions:

1.	If I tap my aggregation points (firewalls, Content switches, etc)
can ethereal on RedHat ES3.0 able to combine the transmit and receive feeds
into one capture?

2.	Can I tap trunks? (Dot1q encapsulation), if so how do I parse out
via capture filters which VLANs I want to look at?

3.	Can I take the output of a Tap (TX and RX feed) and plug them into a
switch or hub somehow and have a group of ethereal sniffers, snoops and
network associate sniffers plugged in with a single full duplex connection?

				Firewall 
				|	
				| 
				T ----------Swith Port 1  
				A
				P----------Switch Port 2
				|
				|
				Router

				Then span or mirror to switch port 3 for a
IDS
				Then span or mirror to switch port 4 for
sniffer #1
				Then span or mirror to switch port 5 for
sniffer #2


4.	Can I span the entire 6509 or 6513 Core switch to a port (all ports
TX and RX), run encapsulation on that span port, and plug it into a small
switch with all my test gear on it?


				Any examples of how others have over come
this would be appreciated?

				Thanks