中文网站
  Advanced Search
Read the latest Blogs from IT professionals in the field. Read and write community created documents. Need IT help? Ask our staff. Connect with your peers. Check our Tech Shop for posters, books and software tools. Home
HomeHow to tricks and tutorials in networking, computing and telecom

How to position Network Analyzer to best monitor network traffic

There are two basic network environments: the shared network in which nodes are connected using a shared hub, and the switched network in which network components are connected by a switch. To monitor network traffic using a network analyzer, the software must be able to capture packets passing through it. Therefore, before using any network analyzer, you should first know about the topology of your network and position the network analyzer at the proper place to capture the right traffic for your network monitoring and troubleshooting purpose.

Shared network

A shared network, also known as hubbed network, is connected with a hub, which is the simplest network devices. On a hub, data is forwarded to all ports, regardless of whether the data is intended for the system connected to the port. In addition to ports for connecting computers, even a very inexpensive hub generally has a port designated as an uplink port that enables the hub to be connected to another hub to create larger networks. When a packet arrives at one port of a hub, it is copied to the other ports so that all segments of the LAN can see all packets. A passive hub serves simply as a conduit for the data, enabling it to go from one device (or segment) to another. So-called intelligent hubs include additional features that enable an administrator to monitor the traffic passing through the hub and to configure each port in the hub. Intelligent hubs are also called manageable hubs. There is a third type of hub, called a switching hub. IT reads the destination address of each packet and then forwards the packet to the correct port. Switching hub actually does not provide a shared environment.

In a shared environment, a network analyzer such as the Javvin Packet Analyzer can use any port of the hub. The entire network data transmitted through the Hub will be captured, including the communication between any two hosts in LAN.

Topology illustration 1:

Shared network

Shared network

Switched network

Switch is a layer 2 and multi-port device. Switch provides similar functions as a hub or a bridge but has more advanced features that can temporarily connect any two ports together. It contains a switch matrix or switch fabric that can rapidly connect and disconnect ports. Unlike Hub, a switch only forward frame from one port to the other port where the destination node is connected without broadcast to all other ports. Switch can learn the physical addresses and save these addresses in its ARP table. When a packet is sent to switch, switch will check the packets destination address from its ARP table and then send the packet to the corresponding port.

Network with managed switches

If you have a switched network, network analyzers are often restricted to receive to only its own packets. In this case, port mirroring, also known as port spanning or port monitoring function, is required in the switch for network administration to monitor traffic properly. A switch with the port monitoring function is called a managed switch.

Generally all three-layer switches and partial two-layer switches have the ability of doing some network management; the traffic going through other ports of the switch can be captured from mirror port/span port, if configured properly. To analyze the traffic going through all ports, a network analyzer should be plugged into this mirror port/span port.

The following table presents the advantages and disadvantages of using a switch with mirror port.

Advantage

  1. No additional facility required
  2. No need to change network topology

Disadvantage

  1. Occupies a switch port
  2. Possible influence to network transmission performance when meeting huge traffic

Topology illustration 2:

Network with managed switches

Network with managed switches

Network with unmanaged switches

If your switch has no management function or monitoring port, you can:

Connect a tap with the line to be monitored

Taps can be flexibly placed on any line in network. When the requirement for network performance is very high, you can add a tap to connect your network. The following table presents the advantages and disadvantages of using a tap.

Advantage

  • No influence to network transmission performance
  • No interference with data stream and raw data
  • Does not occupy IP address, free from network attacks
  • No need to change network topology

Disadvantage

  • High cost
  • Additional facility (tap) required
  • Requires dual adapters
  • Can not connect Internet

Topology illustration 3:

Connect a tap with the line to be monitored

Connect a tap with the line to be monitored

Connect a hub with the line to be monitored

Working on share mode, hubs are applicable for small networks.

Advantage

  • Low cost
  • No need to be configured
  • No need to change network topology

Disadvantage

  • Additional facility (hub) required
  • Interference to network transmission performance when meeting huge traffic
  • Not applicable for big networks

Topology illustration 4:

Connect a hub with the line to be monitored

Connect a hub with the line to be monitored

Monitoring a network segment

In the case when you only need to monitor the traffic in a network segment (a department e.g. Finance department, Sales department, etc.), you can connect the server with a network traffic analyzer installed and the network segment with an exchange facility. The exchange facility can be hub, switch or proxy server.

Topology illustration 5:

Monitoring a network segment

Monitoring a network segment

Note: Typically management switches have the function of port mirroring (spanning); however, the port mirroring configuration of one brands switch may differ from others, please refer to the documentation that comes with your switch for information on the availability of this feature and the configuration instructions.

Switch and port monitoring

Switch is a network exchange facility operating at the data link layer (layer 2) and sometimes the network layer (layer 3) of the OSI Reference Model. Classified by working protocols, there are two-layer switch, three-layer switch, four-layer switch and multiple-layer switch. Switch also can be classified into managed switch and unmanaged switch. Generally, three-layer switch and above has management function (managed switch).

Unlike hubs, switches prevent promiscuous sniffing. In a switched network environment, network analyzers are limited to capturing broadcast and multicast packets and the traffic sent or received by the PC on which it is running.

However, most modern switches (management switches) support "port mirroring", which is a feature that allows you to configure the switch to redirect the traffic that occurs on some or all ports to a designated monitoring port on the switch. With this feature, you can monitor the entire LAN segment in switched network environment. Please refer to the documentation coming with your switch for the availability information about this feature and configuration instructions.

If your switch dose not support "port mirroring", you can install network monitoring tool on a workstation connected to the same hub as your Internet gateway, or on your Internet gateway (if acceptable), thus you can monitor all network traffic between your intranet and the Internet.

A list of some managed switches (with port monitoring/spanning) which are commonly used is available on our website.

Configuring a switch with Port Mirroring

Mirror port configuration:

  • Mirror the way out port to the management port (mirror port), in this way the entire data transmitted into/out of LAN can be monitored.
  • Mirror all way out ports to the management port (mirror port), in this way not only the entire data transmitted into/out of LAN but also the communication among hosts in LAN can be monitored. (Recommend)

Note: Different brands' switches may apply different mirror port configurations, please refer to the instructions coming with your switch.

The following are two examples for CISCO switch using the "monitor" command in configuration mode:

Format:

#monitor session number source interface mod_number/port_number
#monitor session number destination interface mod_number/port_number

Examples:

  • Mirror session 1: mirror port 1-10 to port 12
    #monitor session 1 source interface 1/1-10
    #monitor session 1 destination interface 1/12
  • Mirror session 2: mirror port 13-20 to port 24
    #monitor session 2 source interface 2/13-20
    #monitor session 2 destination interface 2/24

Change the corresponding parameters when there are multiple mirror sessions or modules.

‹ How to Perform WLAN Troubleshooting?upHow to Protect WLAN Security ? ›