see all traffic on a 3com superstack switch 1100

Hi,

I believe its possible to configure one port on a 3com superstack switch 1100 so i sniff all the traffic going thru the switch. Can someone please explain how to do this. I can log into the switch management  but i dont understand what half the settings on the port configuration mean. thanks.
LVL 3
browolfAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grbladesCommented:
Hi browolf,
You can't monitor all traffic going through the port. You can however monitor a single port and send a copy of all traffic going in and out of it to another port where you connect the shiffer.
This option is normally called port mirroring or port spanning.
Sorry I don't know the 3com switches so I cannot say exactly how to configure it.
0
Problem_SolverCommented:
What grblades says is I believe 100% correct 3com calls it Roving Analysis see http://support.3com.com/infodeli/tools/switches/s_stack2/1695/manual.a01/manage.pdf

Steve
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lyle-grangerCommented:
Hello browolf,

In a switched environment it is tougher to monitor traffic because there is no broadcasts.  I ran into a smilar problem.  I solved my problem by purchasing a 10/100 hub and taking the uplink cable from the switch and connecting it to the hub and then connecting the switch to the hub.  The hub will broadcast all the information to another port on the hub.  I then connect a computer (normally a laptop) to the hub any time I want to sniff the traffic.  

Hope this is helpful.

Lyle
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

pseudocyberCommented:
In Nortel world, it's called port mirroring.  In Cisco land, it's called spanning.  On both Nortel and Cisco switches, you CAN span/mirror multiple ports to one single port - depending on the amount of traffic you're talking about, this could easily overwhelm the mirrorING (where you have the sniffer) port.  If you really want to do this, then it's best to span/mirror 10/100 ports to a 1000 port.

Throwing a sniffer on the switch uplink is an option, if the traffic you want to capture is off the switch - if it goes from a node on the switch to a node somewhere else off the switch.  However, this wouldn't work if the traffic you want to see is internal to the switch.

However, looking through this document, http://support.3com.com/infodeli/tools/switches/s_stack2/1695/manual.a01/manage.pdf I see NOTHING mentioning port spanning/mirroring - no packet caputure, nada.  I don't believe you can do it with this switch.


0
Problem_SolverCommented:
In reference to Lyle's comment I would have thought that would have only monitored traffic leaving the switch, not PC to PC within the switch, setting the aging time of the database to the minimum (not 0) would increase this traffic to the uplink. Thinking further on this it might, but I have my strong doubts as it depends on the firmware, be possible to fool the switch by setting the aging time to 0 (non-aged entries) and then physically plugging in each PC in turn and communicating into a port used later for monitoring and then back to its' own port. It could as I think further be that Lyle is correct in his solution and the hub is dynamically doing this to save the plug in/out. So I would ask Lyle if that is what he did in effect and whether it was 3com switches if it was the physical method might be more cost-effective if the devices are not changed frequently.

The 3com switches I had despite the online manual only learnt 4 addresses per port max so it was non-viable for me with 20 PCs so I never tested this.

Steve
0
lyle-grangerCommented:
Steve,

That is correct, this monitors all traffic leaving the swicth.  browolf's post states "sniff all the traffic going thru the switch" so that is why i recommended this solution hubs are relatively cheap and can be installed/removed at any time for monitoring purposes or simply left in the loop.  Hubs broadcast to all ports so connecting the sniffing device to any of the other ports will allow you to see the traffic going to and from the switch.  I am currently doing this using a Nortel switch and a Netgear hub.  I have done this with other equipment as well.

pseudocyber is correct this will not work for traffic internal to the switch.  You would have to use as he said mirroring or spanning.

Lyle

0
sstalibCommented:
I would try this, in the roving analysis setup dialog box hold the shift key down and select multiple ports to monitor. Then select one port as the analysis port.

Make sure the analysis port is not part of the monitor ports. Hope this helps.

Good Luck

Talib
0
browolfAuthor Commented:
i couldnt find anything in that pdf file either.

right. the hub solution was the other alternative I had in mind. Are you saying uplink the switch to a hub and then from the hub back into the switch stack?

This would only work i think on the switches that dont have fibre modules in the back.

would it be any easier to do on a 3com Switch 3300 FX? there's a free UTP port on that.
0
browolfAuthor Commented:
ooh i found the roving analysis page.  its on the config page for the whole switch. will see what i can do.
0
grbladesCommented:
It is always better to use the port spanning option on a switch rather than use a hub if possible because by inserting the hub you are affecting the network and this can bypass the problem you are trying to identify.
0
browolfAuthor Commented:
Yes of course.

ooh ooh the 3300fx has that page as well and because it's a stack it would appear that i can sniff all 4 switches. Just setting up a laptop now with ethereal
0
pseudocyberCommented:
Well, the "Roving Analysis" on page 86 is exactly what you need - hmph - new one on me calling mirroring/spanning "roving analysis".  Good catch.
0
lyle-grangerCommented:
browolf,

What I was saying was take the uplink to the ISP/Internet router and plug it into the hub and then connect the swtich stack to the hub.  You would then connect the sniffing device to the hub and run the protocol analyzer.  This will allow you to see what the devices on your network are doing and if they are stacked you should be able to see the activity on all of the switches.  

Like was posted earlier you should be able to also use the "roving analysis", I haven't used that feature.

Good luck.

Lyle
0
browolfAuthor Commented:
who said anything about routers.

couldnt try it anyway cos the admin password on the 3300fx was different to the 1100 switch. will have to try and get it tomorrow. .
0
lyle-grangerCommented:
I was simply trying to show the physical connection between the devices so that you could sniff the traffic.  

internet router --> hub --> sniffing device and 3Com stack

The previous post was not about routers at all.

Lyle
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.