Advertisement

Powered by Squarespace
Popular Categories
Blog Posts
Discussion Activity
Cisco Live 365

network management > Sniffer placement in the data center

Good article on sniffer placement at http://sevenlayers.wordpress.com/

Nov 20, 2012 at 1:45 | Registered Commentergeneralnetworkerror

Running a large number of websites, our enterprise uses the Coradiant TrueSight appliance (now BMC End-user experience management) that sniffs specifically HTTP (and SSL if you drop the certs on it). From 4 different SPAN ports — two on each agg switch -- both client-side and server-side VLANs can be monitored on each load-balancer pair.

For general packet captures, I run Wireshark on a physical box that sits outside of our vmWare clusters and is tied to an access switch. Using RSPAN (remote SPAN), I can get mirrored packets from just about anywhere in the data center over to Wireshark. Most pcap troubleshooting (like earlier today!) is usually non-http traffic because of the TrueSight appliance, so I watch conversations like web servers to sql servers on the side where traffic is unencrypted.

By the way, I’m sure I saw Wireshark documentation that talked about giving it the SSL private key to decrypt traffic, though I haven’t personally tried it and suspect it won’t be simple. For now, I'd just be happier with a more stable Wireshark that doesn't crash under the weight of a mere 10,000 packets. It's supposed to handle 50K packets easily.

Dec 14, 2012 at 2:07 | Registered Commentergeneralnetworkerror