Is wireshark a tool for out-of-band or in-band network monitoring? How can you tell ? I'm very new to wireshark and need help? asked 11 Jun '13, 12:27  thomas c |
3 Answers:
Wireshark is a network analysis tool not necessarily a network monitoring tool. It is primarily used to analyze network capture files (troubleshooting network problems of all kinds) no matter how and where those capture files were generated. However, Wireshark is also able to capture network traffic itself. There are several ways to do that. Please read the following wiki article.
So, to stick with your terms, there are 'in-band' methods (TAP, bridge) and 'out-of-band' methods (port mirroring) to capture the traffic. Regards answered 11 Jun '13, 12:30  Kurt Knochner ♦ edited 11 Jun '13, 12:34 showing 5 of 8 show 3 more comments |
Wireshark needs to be able to see the packets, but that can be in-band (for example, running Wireshark on a production server to analyse traffic to and from that server) or out-of-band (for example, running wireshark on a laptop that is receiving a duplicated copy of packets in the network to analyze them). Wireshark is agnostic to its physical placement in the network, so you can't really classify it as an in-band or out-of-band tool. While it isn't primarily used for network monitoring, but rather ad-hoc troubleshooting for the most part, it definitely has some tools that can assist a network monitoring solution. I've used it in the past to perform scheduled packet captures, search for patterns using Wireshark's display filters, and generate statistics/reports from that data for near-real-time network monitoring. It's typically not thought of as an 'always on' monitoring tool, but its command line utilities in particular can be very powerful tools to be called by scripts or other programs for all sorts of purposes. answered 11 Jun '13, 20:32  Quadratic edited 11 Jun '13, 20:35 |
The terms "in-band" and "out-of-band" are usually used when there are two traffic flows, examples are:
In these situations "in-band" means both traffic streams follow the same path and "out-of-band" means they follow different paths. In network monitoring there can be monitoring of live production traffic or monitoring based on synthetic traffic. When you want to measure the performance of your web application, you can use a monitoring system (like Nagios for instance) that requests pages from your webserver and let it measure the response time or you can place an appliance inline of the production traffic and monitor the response time in the network traffic (like the former Coradiant, now BMC, can do). The nagios solution can be considered "Out-of-band" monitoring and the caradiant solution can be considered "in-band" monitoring. Even though wireshark is not a network monitoring solution (in the sense that is not capable of doing 24x7 monitoring over an extended period of time), when used to monitor traffic flows, it can be considered "in-band" as it monitors the production traffic flows and does not use synthetic traffic to do it's monitoring. Whether one uses an in-line TAP, a mirror-port or capture on a system that is involved in the traffic stream does not change the "in-band" or "out-of-band" nature of monitoring traffic with Wireshark IMHO. answered 12 Jun '13, 15:31  SYN-bit ♦♦ |
Thanks Kurt that was very helpful im pretty new at this .
Just a note Kurt, taps themselves are deployed in-line with traffic but they send traffic to analyzers out-of-band. For an in-band monitoring tool, Wireshark running in the network where it is capturing the actual bytes between two systems would be in-band, but monitoring from repeated traffic coming from a tap would definitely not be considered in-band monitoring.
as there is no clear definition of in-band and out-of-band for network monitoring/capturing, the mentioned methods are obviously a mere approximation of those terms.
Well, analyzers are always 'out-of-band' as they are not involved in forwarding the packets. So if you look at it that way, there is no 'in-band' monitoring as the packets need to be 'copied' anyway to get to the analyzer ;-)
If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.
I'm sorry Kurt, but that is not the correct understanding of those terms. The term "in-band" refers to something which is in the line of path of the traffic flow in question - it does not have to have anything to do with the packet forwarding logic itself.
Analyzers definitely can be deployed in-band with the actual traffic being monitored. One reason you might want to do that is if the analysis tool is a security appliance with IPS functionality and you want it to be able to take action based on its analysis of the packet flows. Wireshark installed locally on a server that is processing request from a client in a flow you are trying to monitor is another example of in-band network monitoring because the monitoring application is directly at the network card of the server and is in the active line of path for the data flow being monitored.
Repeated/mirrored traffic sent to an analyzer is out-of-band. The significance is that the receiver of the data can't interact in the packet flow at all (not desirable if this is an IPS), and on the other side it can't have any negative impact on the packet flow either (eg: killing the memory on the server by running an unfiltered Wireshark trace of an aggressive file transfer).
Ah well. Then please post the link of the official definition of 'in-band' network monitoring in conjunction with a network sniffer ;-)
I agree with your definition of in-band and out-of-band if we are talking about an IPS.
But the question was about Wireshark and I really don't see a substantial difference between a TAP and a bridge for a network monitoring/capturing solution. Both are kind of in-band (for me), because the regular packet flow is through these devices and they are only there (placed in-band) to capture the network traffic. And even in a bridge (also on a client/server), you'll have to copy the packets at some place to hand them over to the analyzer, which makes this an out-of-band operation as well (according to your definition).
As you said:
That's different for a switch. The switch is there anyway, not matter if you want to capture traffic or not. Additionally you can mirror (copy) packets to another port. So, for me it is more like out-of-band.
After reading my explanation above, why do you think using a TAP is out-of-band monitoring?
You say:
I answered:
So, no matter how you capture the packets, at some point you always need to hand over the packets to the analyzer and that's an out-of-band operation. That's what I was referring to.
Anyway: As I said, there is no official/clear definition of those terms for a for network monitoring/capturing solution and therefore those examples are a mere approximation to those terms. I'm pretty sure neither your interpretation nor mine is 100% correct ;-)
To answer your question on why I see a tap as out of band monitoring, it is because Wireshark in that case is capturing repeated traffic, not in-line with the actual communication between the systems that is being analyzed. I think it's wrong to say that analyzers are always out of band though, because traffic does not always need to be copied to reach it - analyzers actually can be deployed in a middle-man fashion and influence the traffic flow directly between the two endpoints (as would be the case for an IPS which is, effectively, an analyzer of the traffic flow).
I guess it kind of is a silly thing to argue about though. No RFC, and I get the feeling if I took the time to dig up a Telcordia definition it would just give the reference to electromagnetic bands. Strongest argument I could make would be Cisco's fairly formal use of the term to refer to OOB management, which is defined as a dedicated management access method that is not inline with actual network traffic.
I agree. As I said in my answer. No clear definition -> just an approximation of those terms ;-))