Network monitoring

Haulmark, Chris chris at sigd.net
Wed Nov 24 15:37:49 PST 2004 

Someone broke the silence: 

> On Thu, 2004-11-25 at 08:27, Haulmark, Chris wrote:
>> Someone broke the silence:
>> 
>>> I apologize that this probably isn't the most relevant
>>> list to ask this on. Suggestions for better lists will be welcome.
>>> 
>>> I'm trying to monitor traffice on a 100BaseT ethernet
>>> network link. I split the line, put a "hub" in and am
>>> trying to run tcpdump on a box off the side of the
>>> hub.
>>> 
>>> Unfortunately, it turns out the hub isn't a hub, it's
>>> a "switching hub" (what's not a switch about this? I
>>> don't get it). Consequently, all I see are arp
>>> packets, bootp packets, and the odd broadcast. I went
>>> to a local store to buy a hub, and guess what, they
>>> sold me another switching hub, so that has to be
>>> returned :(
>>> 
>>> So, the question is, can anyone tell me the
>>> manufacturer and product name of a real (dumb) hub? I
>>> could use 10baseT instead if necessary, I just need
>>> something cheap that is a simple repeater. Of course,
>>> nobody advertizes "our hub really is a totally dumb
>>> hub, not like those fancy switching hubs the
>>> competition sells" ;>
>>> 
>>> Any suggestions?
>>> 
>> 
>> I ran into the similar problem.  I just looked elsewhere
> for a cheap hub. Ebay was the favorite place for me.  For
> you, just swing by a Pop/Mom/Family kind of computer stores.
> They might sell few old hubs that doesn't have switching
> capabilities at a low price.
>> 
>> Chris Haulmark
>> 
>>> Thanks
>>> Simon
>>> 
>>> 
> Would this work for you
> 
> 1 - install a second NIC in the BSD box
> 2 - configure it as a bridge with no IP numbers on the NICs
>      (Ahm jist sittin' 'ere, passin' stuff thru!)
> 3 - tcpdump -i fxp0      or      tcpdump -i fxp1
>      as appropriate
> 
> A NIC is easier to get than a dumb hub these days ...

This is a reasonable answer for a home based network or a less critical network. Ethernet tap would be what I would recommend for an enterprise environment.  A dumb hub can be pretty decent if you're a small business employee with a T1 connection.  If you were to do bridging, should and would you risk having to come in middle of the night because of a hardware failure on the bridge machine?

For the time being, I am currently using an IDS machine hooked up to the hub while the t1 router is hooked up to the hub along with the main switch hooked up to the hub.

For our colocation facility, I've ordered an ethernet tap and might cancel it because I just realized that the current switch is a cisco and there's high possiblity that it will support SPAN (port mirroring?).

Chris Haulmark

More information about the freebsd-hackers mailing list