Date: Wed, 24 Nov 2004 18:38:58 -0500 From: "Haulmark, Chris" <chris@sigd.net> To: "Murray Taylor" <murraytaylor@bytecraftsystems.com> Cc: simon.roberts@earthlink.net Subject: RE: Network monitoring Message-ID: <6FC9F9894A9F8C49A722CF9F2132FC2202765742@ms05.mailstreet2003.net>
next in thread | raw e-mail | index | archive | help
Someone broke the silence:=20 > On Thu, 2004-11-25 at 08:27, Haulmark, Chris wrote: >> Someone broke the silence: >>=20 >>> I apologize that this probably isn't the most relevant >>> list to ask this on. Suggestions for better lists will be welcome. >>>=20 >>> I'm trying to monitor traffice on a 100BaseT ethernet >>> network link. I split the line, put a "hub" in and am >>> trying to run tcpdump on a box off the side of the >>> hub. >>>=20 >>> Unfortunately, it turns out the hub isn't a hub, it's >>> a "switching hub" (what's not a switch about this? I >>> don't get it). Consequently, all I see are arp >>> packets, bootp packets, and the odd broadcast. I went >>> to a local store to buy a hub, and guess what, they >>> sold me another switching hub, so that has to be >>> returned :( >>>=20 >>> So, the question is, can anyone tell me the >>> manufacturer and product name of a real (dumb) hub? I >>> could use 10baseT instead if necessary, I just need >>> something cheap that is a simple repeater. Of course, >>> nobody advertizes "our hub really is a totally dumb >>> hub, not like those fancy switching hubs the >>> competition sells" ;> >>>=20 >>> Any suggestions? >>>=20 >>=20 >> I ran into the similar problem. I just looked elsewhere > for a cheap hub. Ebay was the favorite place for me. For > you, just swing by a Pop/Mom/Family kind of computer stores. > They might sell few old hubs that doesn't have switching > capabilities at a low price. >>=20 >> Chris Haulmark >>=20 >>> Thanks >>> Simon >>>=20 >>>=20 > Would this work for you >=20 > 1 - install a second NIC in the BSD box > 2 - configure it as a bridge with no IP numbers on the NICs > (Ahm jist sittin' 'ere, passin' stuff thru!) > 3 - tcpdump -i fxp0 or tcpdump -i fxp1 > as appropriate >=20 > A NIC is easier to get than a dumb hub these days ... This is a reasonable answer for a home based network or a less critical = network. Ethernet tap would be what I would recommend for an enterprise = environment. A dumb hub can be pretty decent if you're a small business = employee with a T1 connection. If you were to do bridging, should and = would you risk having to come in middle of the night because of a = hardware failure on the bridge machine? For the time being, I am currently using an IDS machine hooked up to the = hub while the t1 router is hooked up to the hub along with the main = switch hooked up to the hub. For our colocation facility, I've ordered an ethernet tap and might = cancel it because I just realized that the current switch is a cisco and = there's high possiblity that it will support SPAN (port mirroring?). Chris Haulmark
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6FC9F9894A9F8C49A722CF9F2132FC2202765742>