browolf
asked on
see all traffic on a 3com superstack switch 1100
Hi,
I believe its possible to configure one port on a 3com superstack switch 1100 so i sniff all the traffic going thru the switch. Can someone please explain how to do this. I can log into the switch management but i dont understand what half the settings on the port configuration mean. thanks.
I believe its possible to configure one port on a 3com superstack switch 1100 so i sniff all the traffic going thru the switch. Can someone please explain how to do this. I can log into the switch management but i dont understand what half the settings on the port configuration mean. thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In Nortel world, it's called port mirroring. In Cisco land, it's called spanning. On both Nortel and Cisco switches, you CAN span/mirror multiple ports to one single port - depending on the amount of traffic you're talking about, this could easily overwhelm the mirrorING (where you have the sniffer) port. If you really want to do this, then it's best to span/mirror 10/100 ports to a 1000 port.
Throwing a sniffer on the switch uplink is an option, if the traffic you want to capture is off the switch - if it goes from a node on the switch to a node somewhere else off the switch. However, this wouldn't work if the traffic you want to see is internal to the switch.
However, looking through this document, http://support.3com.com/infodeli/tools/switches/s_stack2/1695/manual.a01/manage.pdf I see NOTHING mentioning port spanning/mirroring - no packet caputure, nada. I don't believe you can do it with this switch.
Throwing a sniffer on the switch uplink is an option, if the traffic you want to capture is off the switch - if it goes from a node on the switch to a node somewhere else off the switch. However, this wouldn't work if the traffic you want to see is internal to the switch.
However, looking through this document, http://support.3com.com/infodeli/tools/switches/s_stack2/1695/manual.a01/manage.pdf I see NOTHING mentioning port spanning/mirroring - no packet caputure, nada. I don't believe you can do it with this switch.
In reference to Lyle's comment I would have thought that would have only monitored traffic leaving the switch, not PC to PC within the switch, setting the aging time of the database to the minimum (not 0) would increase this traffic to the uplink. Thinking further on this it might, but I have my strong doubts as it depends on the firmware, be possible to fool the switch by setting the aging time to 0 (non-aged entries) and then physically plugging in each PC in turn and communicating into a port used later for monitoring and then back to its' own port. It could as I think further be that Lyle is correct in his solution and the hub is dynamically doing this to save the plug in/out. So I would ask Lyle if that is what he did in effect and whether it was 3com switches if it was the physical method might be more cost-effective if the devices are not changed frequently.
The 3com switches I had despite the online manual only learnt 4 addresses per port max so it was non-viable for me with 20 PCs so I never tested this.
Steve
The 3com switches I had despite the online manual only learnt 4 addresses per port max so it was non-viable for me with 20 PCs so I never tested this.
Steve
Steve,
That is correct, this monitors all traffic leaving the swicth. browolf's post states "sniff all the traffic going thru the switch" so that is why i recommended this solution hubs are relatively cheap and can be installed/removed at any time for monitoring purposes or simply left in the loop. Hubs broadcast to all ports so connecting the sniffing device to any of the other ports will allow you to see the traffic going to and from the switch. I am currently doing this using a Nortel switch and a Netgear hub. I have done this with other equipment as well.
pseudocyber is correct this will not work for traffic internal to the switch. You would have to use as he said mirroring or spanning.
Lyle
That is correct, this monitors all traffic leaving the swicth. browolf's post states "sniff all the traffic going thru the switch" so that is why i recommended this solution hubs are relatively cheap and can be installed/removed at any time for monitoring purposes or simply left in the loop. Hubs broadcast to all ports so connecting the sniffing device to any of the other ports will allow you to see the traffic going to and from the switch. I am currently doing this using a Nortel switch and a Netgear hub. I have done this with other equipment as well.
pseudocyber is correct this will not work for traffic internal to the switch. You would have to use as he said mirroring or spanning.
Lyle
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i couldnt find anything in that pdf file either.
right. the hub solution was the other alternative I had in mind. Are you saying uplink the switch to a hub and then from the hub back into the switch stack?
This would only work i think on the switches that dont have fibre modules in the back.
would it be any easier to do on a 3com Switch 3300 FX? there's a free UTP port on that.
right. the hub solution was the other alternative I had in mind. Are you saying uplink the switch to a hub and then from the hub back into the switch stack?
This would only work i think on the switches that dont have fibre modules in the back.
would it be any easier to do on a 3com Switch 3300 FX? there's a free UTP port on that.
ASKER
ooh i found the roving analysis page. its on the config page for the whole switch. will see what i can do.
It is always better to use the port spanning option on a switch rather than use a hub if possible because by inserting the hub you are affecting the network and this can bypass the problem you are trying to identify.
ASKER
Yes of course.
ooh ooh the 3300fx has that page as well and because it's a stack it would appear that i can sniff all 4 switches. Just setting up a laptop now with ethereal
ooh ooh the 3300fx has that page as well and because it's a stack it would appear that i can sniff all 4 switches. Just setting up a laptop now with ethereal
Well, the "Roving Analysis" on page 86 is exactly what you need - hmph - new one on me calling mirroring/spanning "roving analysis". Good catch.
browolf,
What I was saying was take the uplink to the ISP/Internet router and plug it into the hub and then connect the swtich stack to the hub. You would then connect the sniffing device to the hub and run the protocol analyzer. This will allow you to see what the devices on your network are doing and if they are stacked you should be able to see the activity on all of the switches.
Like was posted earlier you should be able to also use the "roving analysis", I haven't used that feature.
Good luck.
Lyle
What I was saying was take the uplink to the ISP/Internet router and plug it into the hub and then connect the swtich stack to the hub. You would then connect the sniffing device to the hub and run the protocol analyzer. This will allow you to see what the devices on your network are doing and if they are stacked you should be able to see the activity on all of the switches.
Like was posted earlier you should be able to also use the "roving analysis", I haven't used that feature.
Good luck.
Lyle
ASKER
who said anything about routers.
couldnt try it anyway cos the admin password on the 3300fx was different to the 1100 switch. will have to try and get it tomorrow. .
couldnt try it anyway cos the admin password on the 3300fx was different to the 1100 switch. will have to try and get it tomorrow. .
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In a switched environment it is tougher to monitor traffic because there is no broadcasts. I ran into a smilar problem. I solved my problem by purchasing a 10/100 hub and taking the uplink cable from the switch and connecting it to the hub and then connecting the switch to the hub. The hub will broadcast all the information to another port on the hub. I then connect a computer (normally a laptop) to the hub any time I want to sniff the traffic.
Hope this is helpful.
Lyle