[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

see all traffic on a 3com superstack switch 1100

Posted on 2004-11-16
15
Medium Priority
?
7,187 Views
Last Modified: 2007-12-19
Hi,

I believe its possible to configure one port on a 3com superstack switch 1100 so i sniff all the traffic going thru the switch. Can someone please explain how to do this. I can log into the switch management  but i dont understand what half the settings on the port configuration mean. thanks.
0
Comment
Question by:browolf
  • 4
  • 4
  • 2
  • +3
15 Comments
 
LVL 36

Assisted Solution

by:grblades
grblades earned 200 total points
ID: 12592778
Hi browolf,
You can't monitor all traffic going through the port. You can however monitor a single port and send a copy of all traffic going in and out of it to another port where you connect the shiffer.
This option is normally called port mirroring or port spanning.
Sorry I don't know the 3com switches so I cannot say exactly how to configure it.
0
 
LVL 2

Accepted Solution

by:
Problem_Solver earned 1400 total points
ID: 12592867
What grblades says is I believe 100% correct 3com calls it Roving Analysis see http://support.3com.com/infodeli/tools/switches/s_stack2/1695/manual.a01/manage.pdf

Steve
0
 
LVL 2

Expert Comment

by:lyle-granger
ID: 12593003
Hello browolf,

In a switched environment it is tougher to monitor traffic because there is no broadcasts.  I ran into a smilar problem.  I solved my problem by purchasing a 10/100 hub and taking the uplink cable from the switch and connecting it to the hub and then connecting the switch to the hub.  The hub will broadcast all the information to another port on the hub.  I then connect a computer (normally a laptop) to the hub any time I want to sniff the traffic.  

Hope this is helpful.

Lyle
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 27

Expert Comment

by:pseudocyber
ID: 12593416
In Nortel world, it's called port mirroring.  In Cisco land, it's called spanning.  On both Nortel and Cisco switches, you CAN span/mirror multiple ports to one single port - depending on the amount of traffic you're talking about, this could easily overwhelm the mirrorING (where you have the sniffer) port.  If you really want to do this, then it's best to span/mirror 10/100 ports to a 1000 port.

Throwing a sniffer on the switch uplink is an option, if the traffic you want to capture is off the switch - if it goes from a node on the switch to a node somewhere else off the switch.  However, this wouldn't work if the traffic you want to see is internal to the switch.

However, looking through this document, http://support.3com.com/infodeli/tools/switches/s_stack2/1695/manual.a01/manage.pdf I see NOTHING mentioning port spanning/mirroring - no packet caputure, nada.  I don't believe you can do it with this switch.


0
 
LVL 2

Expert Comment

by:Problem_Solver
ID: 12593560
In reference to Lyle's comment I would have thought that would have only monitored traffic leaving the switch, not PC to PC within the switch, setting the aging time of the database to the minimum (not 0) would increase this traffic to the uplink. Thinking further on this it might, but I have my strong doubts as it depends on the firmware, be possible to fool the switch by setting the aging time to 0 (non-aged entries) and then physically plugging in each PC in turn and communicating into a port used later for monitoring and then back to its' own port. It could as I think further be that Lyle is correct in his solution and the hub is dynamically doing this to save the plug in/out. So I would ask Lyle if that is what he did in effect and whether it was 3com switches if it was the physical method might be more cost-effective if the devices are not changed frequently.

The 3com switches I had despite the online manual only learnt 4 addresses per port max so it was non-viable for me with 20 PCs so I never tested this.

Steve
0
 
LVL 2

Expert Comment

by:lyle-granger
ID: 12594080
Steve,

That is correct, this monitors all traffic leaving the swicth.  browolf's post states "sniff all the traffic going thru the switch" so that is why i recommended this solution hubs are relatively cheap and can be installed/removed at any time for monitoring purposes or simply left in the loop.  Hubs broadcast to all ports so connecting the sniffing device to any of the other ports will allow you to see the traffic going to and from the switch.  I am currently doing this using a Nortel switch and a Netgear hub.  I have done this with other equipment as well.

pseudocyber is correct this will not work for traffic internal to the switch.  You would have to use as he said mirroring or spanning.

Lyle

0
 
LVL 2

Assisted Solution

by:sstalib
sstalib earned 200 total points
ID: 12594820
I would try this, in the roving analysis setup dialog box hold the shift key down and select multiple ports to monitor. Then select one port as the analysis port.

Make sure the analysis port is not part of the monitor ports. Hope this helps.

Good Luck

Talib
0
 
LVL 3

Author Comment

by:browolf
ID: 12594887
i couldnt find anything in that pdf file either.

right. the hub solution was the other alternative I had in mind. Are you saying uplink the switch to a hub and then from the hub back into the switch stack?

This would only work i think on the switches that dont have fibre modules in the back.

would it be any easier to do on a 3com Switch 3300 FX? there's a free UTP port on that.
0
 
LVL 3

Author Comment

by:browolf
ID: 12594928
ooh i found the roving analysis page.  its on the config page for the whole switch. will see what i can do.
0
 
LVL 36

Expert Comment

by:grblades
ID: 12594975
It is always better to use the port spanning option on a switch rather than use a hub if possible because by inserting the hub you are affecting the network and this can bypass the problem you are trying to identify.
0
 
LVL 3

Author Comment

by:browolf
ID: 12595017
Yes of course.

ooh ooh the 3300fx has that page as well and because it's a stack it would appear that i can sniff all 4 switches. Just setting up a laptop now with ethereal
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 12595069
Well, the "Roving Analysis" on page 86 is exactly what you need - hmph - new one on me calling mirroring/spanning "roving analysis".  Good catch.
0
 
LVL 2

Expert Comment

by:lyle-granger
ID: 12595705
browolf,

What I was saying was take the uplink to the ISP/Internet router and plug it into the hub and then connect the swtich stack to the hub.  You would then connect the sniffing device to the hub and run the protocol analyzer.  This will allow you to see what the devices on your network are doing and if they are stacked you should be able to see the activity on all of the switches.  

Like was posted earlier you should be able to also use the "roving analysis", I haven't used that feature.

Good luck.

Lyle
0
 
LVL 3

Author Comment

by:browolf
ID: 12597330
who said anything about routers.

couldnt try it anyway cos the admin password on the 3300fx was different to the 1100 switch. will have to try and get it tomorrow. .
0
 
LVL 2

Assisted Solution

by:lyle-granger
lyle-granger earned 200 total points
ID: 12598128
I was simply trying to show the physical connection between the devices so that you could sniff the traffic.  

internet router --> hub --> sniffing device and 3Com stack

The previous post was not about routers at all.

Lyle
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question