Suppose I want to test a network system as non-evasively as possible, check on bandwidth usage, timing, etc.. Suppose a system has multiple switches and multiple connection points. What would be the best way to go about this, without affecting the network in any way.

1. I figure Wireshark is out because it will create a connection channel, which will affect communications between switches and connected devices
2. Port mirroring is out, for basically the same reasons

Is what I am looking for is a Network Tap? Something that taps the TX and RX lines (depending on ref point) and to feed those lines back to an analyzer/data recorder/Wireshark type device? I understand insertion of a Network Tap has very minimal effect (copper, diminished light for fiber).

Any comments/suggestions?

Port mirroring doesn't create any sort of channel. It just mirrors what is sent to one switch port to another port. Same with Wireshark. It just listens, and outputs frames.

And, you can't really "tap" a network cable, and if you could, it's more problems than it's worth (Cutting the line, splicing tap).

What are you trying to accomplish? And to truly answer, we'll need a network diagram of the hardware.

http://www.amazon.com/Dualcomm-DCSW-1005-Powered-Ethernet-Mirroring/dp/B002BSF112


This 5-port 10/100M Ethernet Switch TAP (DCSW-1005) is another innovation by Dualcomm that offers unique and low cost solution for any network applications where port-mirroring is required. Port-mirroring used to be a feature in most expensive managed switches requiring a series of software configurations, but DCSW-1005 makes it plug and play without any software manipulations at a much lower price point DCSW-1005 also is engineered with a efficient power circuitry capable of receiving power on a USB port and to operate reliably with up to five Ethernet connections at full speeds. With DCSW-1005, an otherwise heavy and bulky AC/DC power adapter becomes not necessary! For home or small business users, DCSW-1005 can be best used for a cost-effective packet sniffing setup to record VoIP calls. For IT professionals, DCSW-1005 is surely a favorite gadget that soon will be found in their tool bags!

I don't know shit about it, but check with NSA or one of those other alphabet agcy. They have taps down to an art.

I don't know shit about it, but check with NSA or one of those other alphabet agcy. They have taps down to an art.

They think they do, but in fact, they really don't.

Most higher-end consumer-grade switches (and almost all commercial equivalents) incorporate some form of traffic rate logging, total consumption and so forth. What brand and type/model of equipment are you attempting to test?

http://www.amazon.com/Dualcomm-DCSW-1005-Powered-Ethernet-Mirroring/dp/B002BSF112

Thanks, Dave, very cool!

Port mirroring doesn't create any sort of channel. It just mirrors what is sent to one switch port to another port. Same with Wireshark. It just listens, and outputs frames.

And, you can't really "tap" a network cable, and if you could, it's more problems than it's worth (Cutting the line, splicing tap).

What are you trying to accomplish? And to truly answer, we'll need a network diagram of the hardware.

I am advising a friend, and not at liberty to discuss his situation, but I can give a hypothetical situation... we have Network Switch A0, which is connected to 10 computers, A1 through A10. We have Network Switch B0 which has 10 computers connected to it, B1 through B10. They are running status monitoring programs for a particular software, running in parallel and periodic. Network Switch A0 is connected to Network Switch B0. Tests are to be made as non-invasive, and to measure packet timing and bandwidth. Criteria is that the testing has no load or impact on existing network traffic.

a. Port Mirroring, as I read more about it today, is probably what I am looking for, with restrictions - Port mirroring has to be performed on the same switch as the connection being monitored.

b. Wireshark on a non-mirrored port, will not work, since it will open communications channels and will affect the network.

c. A simple search on "Network Tap" will list a bunch of products that will do just that. There is an insertion delay with a Network Tap.
Example: http://www.networkcritical.com/Products/Smart-Network-Access-Modular-System/Breakout-Aggregation-Regeneration-TAPs

yep, ask the CIA/NSA... :mrgreen:

I am advising a friend, and not at liberty to discuss his situation, but I can give a hypothetical situation... we have Network Switch A0, which is connected to 10 computers, A1 through A10. We have Network Switch B0 which has 10 computers connected to it, B1 through B10. They are running status monitoring programs for a particular software, running in parallel and periodic. Network Switch A0 is connected to Network Switch B0. Tests are to be made as non-invasive, and to measure packet timing and bandwidth. Criteria is that the testing has no load or impact on existing network traffic.

a. Port Mirroring, as I read more about it today, is probably what I am looking for, with restrictions - Port mirroring has to be performed on the same switch as the connection being monitored.

b. Wireshark on a non-mirrored port, will not work, since it will open communications channels and will affect the network.

c. A simple search on "Network Tap" will list a bunch of products that will do just that. There is an insertion delay with a Network Tap.
Example: http://www.networkcritical.com/Products/Smart-Network-Access-Modular-System/Breakout-Aggregation-Regeneration-TAPs

So, you're testing the trunk between switch A and B? If this is the case, span a port on both switches, mirroring the trunk ports. Then , use a dual-nic machine with wireshark running both in promiscuous mode.

Wireshark on a non-mirrored switch port will show you nothing but the traffic destined for the machine wireshark is running on, because of how switching worked. Hubs, you used to be able to do that, but nobody sells hubs anymore, unless those "taps" people are selling are 100Mbit hubs :)