From owner-freebsd-hackers@FreeBSD.ORG Wed Nov 24 23:37:49 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1364816A4CE for ; Wed, 24 Nov 2004 23:37:49 +0000 (GMT) Received: from ms05.mailstreet2003.net (MS05.mailstreet2003.net [63.251.155.133]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4EB143D1F for ; Wed, 24 Nov 2004 23:37:48 +0000 (GMT) (envelope-from chris@sigd.net) X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Wed, 24 Nov 2004 18:38:58 -0500 Message-ID: <6FC9F9894A9F8C49A722CF9F2132FC2202765742@ms05.mailstreet2003.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Network monitoring Thread-Index: AcTSd5eINfUbrp8xSLuT0Os8OVx4vgAAAsog From: "Haulmark, Chris" To: "Murray Taylor" cc: freebsd-hackers@freebsd.org cc: simon.roberts@earthlink.net Subject: RE: Network monitoring X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 23:37:49 -0000 Someone broke the silence:=20 > On Thu, 2004-11-25 at 08:27, Haulmark, Chris wrote: >> Someone broke the silence: >>=20 >>> I apologize that this probably isn't the most relevant >>> list to ask this on. Suggestions for better lists will be welcome. >>>=20 >>> I'm trying to monitor traffice on a 100BaseT ethernet >>> network link. I split the line, put a "hub" in and am >>> trying to run tcpdump on a box off the side of the >>> hub. >>>=20 >>> Unfortunately, it turns out the hub isn't a hub, it's >>> a "switching hub" (what's not a switch about this? I >>> don't get it). Consequently, all I see are arp >>> packets, bootp packets, and the odd broadcast. I went >>> to a local store to buy a hub, and guess what, they >>> sold me another switching hub, so that has to be >>> returned :( >>>=20 >>> So, the question is, can anyone tell me the >>> manufacturer and product name of a real (dumb) hub? I >>> could use 10baseT instead if necessary, I just need >>> something cheap that is a simple repeater. Of course, >>> nobody advertizes "our hub really is a totally dumb >>> hub, not like those fancy switching hubs the >>> competition sells" ;> >>>=20 >>> Any suggestions? >>>=20 >>=20 >> I ran into the similar problem. I just looked elsewhere > for a cheap hub. Ebay was the favorite place for me. For > you, just swing by a Pop/Mom/Family kind of computer stores. > They might sell few old hubs that doesn't have switching > capabilities at a low price. >>=20 >> Chris Haulmark >>=20 >>> Thanks >>> Simon >>>=20 >>>=20 > Would this work for you >=20 > 1 - install a second NIC in the BSD box > 2 - configure it as a bridge with no IP numbers on the NICs > (Ahm jist sittin' 'ere, passin' stuff thru!) > 3 - tcpdump -i fxp0 or tcpdump -i fxp1 > as appropriate >=20 > A NIC is easier to get than a dumb hub these days ... This is a reasonable answer for a home based network or a less critical = network. Ethernet tap would be what I would recommend for an enterprise = environment. A dumb hub can be pretty decent if you're a small business = employee with a T1 connection. If you were to do bridging, should and = would you risk having to come in middle of the night because of a = hardware failure on the bridge machine? For the time being, I am currently using an IDS machine hooked up to the = hub while the t1 router is hooked up to the hub along with the main = switch hooked up to the hub. For our colocation facility, I've ordered an ethernet tap and might = cancel it because I just realized that the current switch is a cisco and = there's high possiblity that it will support SPAN (port mirroring?). Chris Haulmark