7

This will likely seem naive to the experts... but it has been on my mind lately.

For years I've been using ntop and a cheap 4 port hub to sniff client networks to determine who's doing what -- and how much. Great way to see what's going on when they call and say "Geeze, the network seems really slow today." No need to bring in a managed switch (or access the existing one) and no need to configure spanning or mirroring. I just drop in the hub inline where I want to measure.

Lately I noticed it is just about impossible to buy a real honest-to-goodness hub anymore. While looking for a new one, I had someone tell me that I should be sure to get a full-duplex hub or I'd only be seeing half the traffic when I monitor.

Really?

I've been using a crusty old Netgear DS104 all this time. No clue if it is half or FD. Have I really been understating my measurements? I'm just not bright enough about the physical layer to really know...

Side note: Just ordered a Dualcomm Ethernet Switch TAP as a hub replacement. Seems like a nifty gadget. Any notes or tips about it would be welcome in the comments :-)

Chris_K
  • 3,434
  • 6
  • 41
  • 45

3 Answers3

7

Depending on what you're comfortable with, a portable solution is to build your own network bridge. Any laptop with two interfaces can be made to do it. Plug the wire from the wall into one interface, and a second wire into the device that's reporting the problem and run your sniffs on the bridge.

Dual ports can be found many ways. USB NICs, or use that never-used ExpressCard slot on some laptops to add a second GigE NIC (example device at NewEgg).

On Linux it's a few root-mode commands to set it up.

brctl addbr snifbr
brctl addif snifbr eth0 eth1

The same can be done on Windows through Internet Connection Sharing and other means, but I don't know what they are off the top of my head.

And now, a side-note:

The ease of doing this is one reason some networks deploy port-level security. Register a specific MAC address for a specific Ethernet jack, and it's a lot harder to do this sort of inline packet capture. Not impossible, just harder.

The advantage of using this method is that it doesn't require an additional power-brick for the switch/hub, it's all self-contained in the laptop. You can even add an address to the bridge if you need to.

ifconfig snifbr 10.31.25.101 netmask 255.255.255.0

And SSH into it for remote captures.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
4

The thing is, while a hub does normally allow for only half-duplex communications (I've heard of full-duplex hubs but I've never seen one), that doesn't mean that you're only going to see half of the traffic, what it means is that the devices communicating with each other through the hub will communicate at half-duplex. You'll still see all of the traffic passing through the hub. When clientA communicates to clientB you'll see that and when clientB responds to clientA you'll see that as well. A hub forwards traffic to all ports, so you'll see all the traffic regardless of duplex.

In the process of your monitoring you're probably introducing a temporary performance problem because of the fact that any devices connected to the hub are probably going to try communicating at full-duplex (especially if they're hard coded to full-duplex) and therefore collisions will occur, necessitating the re-transmitting of quite a bit of traffic in addition to the "slow down" as a result of the half-duplex nature of the hub.

The thing that's good about using a hub is that it acts as a passive network tap. You can insert it inline between the customer switch and firewall/router and monitor their internet usage, see who's going where, see what kind of usage is occurring (HTTP, FTP, etc.), see how much of their internet connection is being utilized, and see how much broadcast traffic exists in the network.

What you probably aren't seeing are problems that exixt with specific hosts on the network as you can't insert the hub between every host on the network (you can only connect the hub to one switch port, not all of them). For that you need a switch with port mirroring capability so that you can mirror traffic from specific switch ports or groups of ports to your monitor port.

I use both a hub and a port mirroring capable switch, depending on the problem I'm troubleshooting. I usually start with a hub connected between the customer switch and firewall/router. This gives me a handle on how much internet traffic there is, what kind of traffic it is, and gives me a feel for how much broadcasting is occurring on the network. I'd say that in the majority of cases the problem turns out to be insufficient internet bandwidth or a large volume of broadcasting causing congestion, re-transmits, slow ACK's, duplicate ACK's, etc.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • I think what I posted wasn't clear enough as to what I was asking. However, in spite of me, your first paragraph answers exactly what I was looking for. Thank you. – Chris_K Feb 27 '11 at 21:01
3

If it's a hub it must be half duplex. It is hard to find a hub and virtually impossible to find a 100mb "hub".

These days 10mb just doesn't cut it so hubs are really not a great solution.

Managed switches that can do port mirroring aren't really all that expensive these days. Or you can build yourself a network tap if you like to roll ghetto style.

This is a list of switches and instructions on how to enable port mirroring.

And if you're using a network tap, typically you need 2 interfaces to monitor a given link -- you need to monitor the in and the out and hopefully your software can do the aggregation for you.

chris
  • 11,784
  • 6
  • 41
  • 51
  • 1
    Often what you'll find is a dual-speed 10/100Mbps hub. These are really two hubs (10Mbps and 100Mbps) with a bridge between them. So be aware that traffic between two ports that negotiate at 10Mbps won't get repeated out the 100Mbps ports (and vice versa). – eater Feb 27 '11 at 16:44
  • @eater - that was certainly the case long ago when these things came out, but I'm not sure it's still the case. I'd expect that the chipsets to make 10/100 hubs are probably no cheaper than a switch-on-a-chip chipsets, and maybe more expensive because they aren't made in volume anymore. Certainly any old-stock is exempt from this, but stuff on newegg? I'm not sure you'd win that bet often enough to want to play the game. – chris Feb 27 '11 at 19:09
  • @chris -- Good response, thank you. Just a side note on the newegg comment: when I checked last week there were NO hubs available from them! – Chris_K Feb 27 '11 at 19:20
  • These days the only reliable place to get a hub is your basement. Otherwise, look on ebay, but once there you may as well look for old nortel switches or similar less desired but still really nice networking equipment. Old nortel switches, for instance, can mirror to a port based on things like the source or target MAC address as well as source port or vlan. – chris Feb 27 '11 at 19:43
  • I recently purchased a Netgear EN104 at Amazon. You can still find some EN104, EN104TP, DS104, and DS108 hubs there. – joeqwerty Feb 27 '11 at 19:59
  • It looks like there are some old netgear products sold in the amazon marketplace, but their "marketplace" is pretty similar to ebay. Netgear doesn't appear to be making these things any longer. And geez, $80? For a hub? Really? I'd think cgi.ebay.com/290430680833 is a far better deal... – chris Feb 27 '11 at 20:27
  • I found a DS104 laying on an abandoned desk at a client site on Friday. I was quite pleased! I'll leave them a shiny new 5 port 10/100 switch next week in return. – Chris_K Feb 27 '11 at 21:00