Network Sniffing and Hubs

networking network-monitoring ntop

This will likely seem naive to the experts... but it has been on my mind lately.

For years I've been using ntop and a cheap 4 port hub to sniff client networks to determine who's doing what -- and how much. Great way to see what's going on when they call and say "Geeze, the network seems really slow today." No need to bring in a managed switch (or access the existing one) and no need to configure spanning or mirroring. I just drop in the hub inline where I want to measure.

Lately I noticed it is just about impossible to buy a real honest-to-goodness hub anymore. While looking for a new one, I had someone tell me that I should be sure to get a full-duplex hub or I'd only be seeing half the traffic when I monitor.

Really?

I've been using a crusty old Netgear DS104 all this time. No clue if it is half or FD. Have I really been understating my measurements? I'm just not bright enough about the physical layer to really know...

Side note: Just ordered a Dualcomm Ethernet Switch TAP as a hub replacement. Seems like a nifty gadget. Any notes or tips about it would be welcome in the comments :-)


The thing is, while a hub does normally allow for only half-duplex communications (I've heard of full-duplex hubs but I've never seen one), that doesn't mean that you're only going to see half of the traffic, what it means is that the devices communicating with each other through the hub will communicate at half-duplex. You'll still see all of the traffic passing through the hub. When clientA communicates to clientB you'll see that and when clientB responds to clientA you'll see that as well. A hub forwards traffic to all ports, so you'll see all the traffic regardless of duplex.

In the process of your monitoring you're probably introducing a temporary performance problem because of the fact that any devices connected to the hub are probably going to try communicating at full-duplex (especially if they're hard coded to full-duplex) and therefore collisions will occur, necessitating the re-transmitting of quite a bit of traffic in addition to the "slow down" as a result of the half-duplex nature of the hub.

The thing that's good about using a hub is that it acts as a passive network tap. You can insert it inline between the customer switch and firewall/router and monitor their internet usage, see who's going where, see what kind of usage is occurring (HTTP, FTP, etc.), see how much of their internet connection is being utilized, and see how much broadcast traffic exists in the network.

What you probably aren't seeing are problems that exixt with specific hosts on the network as you can't insert the hub between every host on the network (you can only connect the hub to one switch port, not all of them). For that you need a switch with port mirroring capability so that you can mirror traffic from specific switch ports or groups of ports to your monitor port.

I use both a hub and a port mirroring capable switch, depending on the problem I'm troubleshooting. I usually start with a hub connected between the customer switch and firewall/router. This gives me a handle on how much internet traffic there is, what kind of traffic it is, and gives me a feel for how much broadcasting is occurring on the network. I'd say that in the majority of cases the problem turns out to be insufficient internet bandwidth or a large volume of broadcasting causing congestion, re-transmits, slow ACK's, duplicate ACK's, etc.


Depending on what you're comfortable with, a portable solution is to build your own network bridge. Any laptop with two interfaces can be made to do it. Plug the wire from the wall into one interface, and a second wire into the device that's reporting the problem and run your sniffs on the bridge.

Dual ports can be found many ways. USB NICs, or use that never-used ExpressCard slot on some laptops to add a second GigE NIC (example device at NewEgg).

On Linux it's a few root-mode commands to set it up.

brctl addbr snifbr
brctl addif snifbr eth0 eth1

The same can be done on Windows through Internet Connection Sharing and other means, but I don't know what they are off the top of my head.

And now, a side-note:

The ease of doing this is one reason some networks deploy port-level security. Register a specific MAC address for a specific Ethernet jack, and it's a lot harder to do this sort of inline packet capture. Not impossible, just harder.

The advantage of using this method is that it doesn't require an additional power-brick for the switch/hub, it's all self-contained in the laptop. You can even add an address to the bridge if you need to.

ifconfig snifbr 10.31.25.101 netmask 255.255.255.0

And SSH into it for remote captures.


If it's a hub it must be half duplex. It is hard to find a hub and virtually impossible to find a 100mb "hub".

These days 10mb just doesn't cut it so hubs are really not a great solution.

Managed switches that can do port mirroring aren't really all that expensive these days. Or you can build yourself a network tap if you like to roll ghetto style.

This is a list of switches and instructions on how to enable port mirroring.

And if you're using a network tap, typically you need 2 interfaces to monitor a given link -- you need to monitor the in and the out and hopefully your software can do the aggregation for you.

Related

What's the best centralized syslog viewing tool for *nix out there
Apache access.log interpretation
Configure HP Lights-Out LO100i from the host operating system?
authorized_keys Environment Variables Not Setting Environment Variables
Will 100 Mbps client slow down 1000 Mbps network?
help using setspn and ktpass
Setting MX records with Registrar vs. Nameserver Host
Gigabit network with a 100 megabit firewall
Can a tmpfs become fragmented?
Best practices for placing SSL certificates for use in Apache 2?
Memory Usage by Bytes Top 10
Static file with HTTP headers?