Agreed. There are some non real-world scenarios that SPAN would/could kill a switch, but not in the real world.
________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Mel Beckman Sent: Friday, January 30, 2009 12:56 PM To: [email protected] Cc: [email protected] Subject: Re: [Ntop] Non IP Traffic We're talking about the same thing, but SPAN is port mirroring within a single switch fabric (e.g. A single catalyst 6500 switch). As long as the switch has a "wire speed" fabric, SPAN can't overwhelm it. If you start filtering, or replicating between fabrics, then that's not basic SPAN and all bets are off. -mel via cell On Jan 30, 2009, at 10:40 AM, "Gary Gatten" <[email protected]> wrote: Not sure if we're on the same page here or just semantics? SPAN is an acceptable method to gain visibility into network flows. In REALLY high packet rate environments you may need a tap, but for most situations SPAN is fine. I'm only familiar with Ci$co options, and those are very flexible - including: tx, rx, both , VLAN's, and access-lists to further filter the traffic that is replicated to your destination/monitor port. In most cases using SPAN won't cause any issues on the switch - even at high rates. If you're using RSPAN or ERSPAN, obviously if you're mirroring a 1Gb interface to a server and your destination port is on another switch over a 1Gb IF - you could cause some issues for yourself if the server interface you're monitoring has a high load. SPAN is your friend! ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Mel Beckman Sent: Friday, January 30, 2009 12:29 PM To: [email protected] Cc: [email protected] Subject: Re: [Ntop] Non IP Traffic Even a bidi port won't be receiving much, if anything, from ntop. -mel via cell On Jan 30, 2009, at 9:49 AM, "Gary Gatten" < <mailto:[email protected]> [email protected]> wrote: Most spans are bidirectional capable now. ________________________________ From: <mailto:[email protected]> [email protected] To: <mailto:[email protected]> [email protected] Cc: <mailto:[email protected]> [email protected] Sent: Fri Jan 30 11:44:21 2009 Subject: Re: [Ntop] Non IP Traffic Since a span port is transmit only, there is no way it can "clog the switch." The pc might get bogged down, but the switch won't know or care. -mel via cell On Jan 30, 2009, at 5:57 AM, "Walt Henley" < <mailto:[email protected]> <mailto:[email protected]> [email protected]> wrote: That's all he will see unless he gets the NetFlow plugin operating on a switch or router in his network. Or, he could have his PC connected to a SPAN port (not recommended, could clog the switch). 3kb/s of traffic is not going to kill his WS. Pretty typical. I have a site I'm working on currently with 30kB/s of broadcast noise. Not much in 100 mb/s links. On Thu, Jan 29, 2009 at 10:49 PM, Burton Strauss III < <mailto:[email protected]> <mailto:[email protected]> <mailto:[email protected]> [email protected]> wrote: Well, what you are seeing is a varied collection of broadcast traffic... ARP - address resolution protocol - is how you find an address on the LOCAL segment. NBNS - NetBIOS, a local (non-routable) protocol MS NLB - Microsoft Network Load Balancing protocol Etc. -----Burton -----Original Message----- From: <mailto:[email protected]> <mailto:[email protected]> <mailto:[email protected]> [email protected] [mailto: <mailto:[email protected]> <mailto:[email protected]> <mailto:[email protected]> [email protected]] On Behalf Of Martin Larsson Sent: Thursday, January 29, 2009 6:47 AM To: <mailto:[email protected]> <mailto:[email protected]> <mailto:[email protected]> [email protected] Subject: Re: [Ntop] Non IP Traffic Everything is just running on my local machine, yes. All I'm trying to do is to understand why my network-adapter is receiving all that data. It looks like there's a fairly constant stream of about 3Kbits... But thanks for the info, I'll do some more simple checks and notify my admins. M. On Thu, Jan 29, 2009 at 3:27 PM, Walt Henley < <mailto:[email protected]> <mailto:[email protected]> <mailto:[email protected]> [email protected]> wrote: > This trace may not be telling you the whole story. Did you put the > Wireshark machine on a SPAN port or just run it locally connected at your > PC? If you ran it locally connected, then all you are seeing is your > traffic and any broadcasts that come along. Also, how are you collecting > NTOP data? Using NetFlow or Sflow or just with a local connection. Could > be that it is seeing the heartbeats and deciding they are not identifyable > IP traffic. Try running netflow on your ethernet switches (assuming they > are Cisco)> > > On Thu, Jan 29, 2009 at 8:59 AM, Martin Larsson < <mailto:[email protected]> <mailto:[email protected]> <mailto:[email protected]> [email protected]> > wrote: >> >> Thanks. WireShark was interesting, and overwhelming. >> It seems there's a lot of "MS NLB Heartbeat" each containing 1510 bytes. >> Could that be it? >> I've attached a sample screenshot. >> >> On Thu, Jan 29, 2009 at 2:16 PM, Burton Strauss III >> < <mailto:[email protected]> <mailto:[email protected]> <mailto:[email protected]> [email protected]> wrote: >> > It means ntop is seeing a lot of traffic that isn't recognizable as >> > tcp/ip. >> > >> > Depending on your connection and what you are monitoring (network >> > topology) >> > this could be normal (i.e. traffic wrapped in something) or it could be >> > odd. >> > >> > I usually recommend installing WireShark and letting it analyze a few >> > dozen >> > packets (they both use libpcap so they look at traffic the same way). >> > If >> > WireShark calls it differently than ntop, you probably have exposed some >> > bug. If they both call it non-ip, then explain your topology and we can >> > guide you. If you aren't sure, grab & post a screen shot of a page of >> > random traffic from WireShark, post it and we can read what you have >> > from >> > there... >> > >> > -----Burton >> > >> > >> > >> > >> > >> > -----Original Message----- >> > From: <mailto:[email protected]> <mailto:[email protected]> <mailto:[email protected]> [email protected] [mailto: <mailto:[email protected]> <mailto:[email protected]> <mailto:[email protected]> [email protected]] On Behalf Of >> > Martin Larsson >> > Sent: Thursday, January 29, 2009 3:54 AM >> > To: <mailto:[email protected]> <mailto:[email protected]> <mailto:[email protected]> [email protected] >> > Subject: [Ntop] Non IP Traffic >> > >> > I installed ntop because the system monitor told me my network was >> > fairly >> > active >> > even though I wasn't actively sending or receiving anything. >> > After about 1.5 hours of running, the traffic summary is showing me a >> > lot of >> > non-IP traffic. >> > >> > Total 26.4 MBytes [47,672 Pkts] >> > IP Traffic 9.3 MBytes [26,718 Pkts] >> > Fragmented IP Traffic 0 [0.0%] >> > Non IP Traffic 17.1 MBytes >> > >> > What does that mean? >> > >> > M. >> > _______________________________________________ >> > Ntop mailing list >> > <mailto:[email protected]> <mailto:[email protected]> <mailto:[email protected]> [email protected] >> > <http://listgateway.unipi.it/mailman/listinfo/ntop> <http://listgateway.unipi.it/mailman/listinfo/ntop> <http://listgateway.unipi.it/mailman/listinfo/ntop> http://listgateway.unipi.it/mailman/listinfo/ntop >> > >> > _______________________________________________ >> > Ntop mailing list >> > <mailto:[email protected]> <mailto:[email protected]> <mailto:[email protected]> [email protected] >> > <http://listgateway.unipi.it/mailman/listinfo/ntop> <http://listgateway.unipi.it/mailman/listinfo/ntop> <http://listgateway.unipi.it/mailman/listinfo/ntop> http://listgateway.unipi.it/mailman/listinfo/ntop >> > >> >> _______________________________________________ >> Ntop mailing list >> <mailto:[email protected]> <mailto:[email protected]> <mailto:[email protected]> [email protected] >> <http://listgateway.unipi.it/mailman/listinfo/ntop> <http://listgateway.unipi.it/mailman/listinfo/ntop> <http://listgateway.unipi.it/mailman/listinfo/ntop> http://listgateway.unipi.it/mailman/listinfo/ntop >> > > > _______________________________________________ > Ntop mailing list > <mailto:[email protected]> <mailto:[email protected]> <mailto:[email protected]> [email protected] > <http://listgateway.unipi.it/mailman/listinfo/ntop> <http://listgateway.unipi.it/mailman/listinfo/ntop> <http://listgateway.unipi.it/mailman/listinfo/ntop> http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ Ntop mailing list <mailto:[email protected]> <mailto:[email protected]> <mailto:[email protected]> [email protected] <http://listgateway.unipi.it/mailman/listinfo/ntop> <http://listgateway.unipi.it/mailman/listinfo/ntop> <http://listgateway.unipi.it/mailman/listinfo/ntop> http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list <mailto:[email protected]> <mailto:[email protected]> <mailto:[email protected]> [email protected] <http://listgateway.unipi.it/mailman/listinfo/ntop> <http://listgateway.unipi.it/mailman/listinfo/ntop> <http://listgateway.unipi.it/mailman/listinfo/ntop> http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list <mailto:[email protected]> <mailto:[email protected]> [email protected] <http://listgateway.unipi.it/mailman/listinfo/ntop> <http://listgateway.unipi.it/mailman/listinfo/ntop> http://listgateway.unipi.it/mailman/listinfo/ntop "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." _______________________________________________ Ntop mailing list <mailto:[email protected]> [email protected] <http://listgateway.unipi.it/mailman/listinfo/ntop> http://listgateway.unipi.it/mailman/listinfo/ntop "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
