This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Network Tap usage with wireshark

0

Tap an 100Mbps ethernet with netoptics tap, the tap has two outputs transmit and receive, I have two network adapter but how can I combine intoa single realtime capture?

asked 23 Nov '11, 18:26

cisoccoip's gravatar image

cisoccoip
1111
accept rate: 0%


3 Answers:

0

Try the development version of Wireshark, which allows multiple capture interface selection.

answered 23 Nov '11, 23:24

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

0

Or you can use alternatively a Port Aggregation Tap which aggregates both data streams of a full duplex connection into a single output stream.

answered 24 Nov '11, 00:24

mitu's gravatar image

mitu
11
accept rate: 0%

...and here´s some more information:

Link to Aggregation Tap information

... also with application diagrams for each product

(24 Nov '11, 00:30) mitu

True, but keep in mind that link aggregation taps cannot deliver full line rate capture due to limited bandwidth after aggregation. Strange things already happened with those, so I'd always try to get data from the already builtin normal 2-cable tap first, and only if that doesn't work think about using link aggregation.

Just my 2 cents

(24 Nov '11, 00:35) Landi

0

I don't know how the 1.7-dev version handles timing problems when capturing from multiple interfaces, so here is a general slightly offtopic thought about this:

When capturing off a tap device, you have to be careful about the timings if you capture with a regular 2-port NIC or even worse two capture machines. Normally you would use a specific NIC for capturing data over more than one port in parallel. Those NICs make sure that incoming data from several ports is correctly aggregated and timestamped(!) before delivering it to your analyzer.

So whatever setup you choose to aggregate/merge/whatever your two incoming connections from the tap, please keep this in mind, and doublecheck your final trace for those timing issues and remember that a "normal" 2-port NIC in most cases also has this issues.

So maybe you try capturing into seperate files and chronologically merge those later via mergecap as a start. If you have timely diffs in the two traces you can try to adapt to those via editcap

answered 24 Nov '11, 00:33

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

Sure, that’s one of the most problematic parts when capturing with a normal tap (RX and TX separated without using dedicated analyzer cards)… As you all know, you always have to choose between an aggregation device (where you should bear in mind that more than 50% utilization will result in packet loss on the monitoring side) or a normal network tap (problems which were just mentioned above).

Up to you and or, to be more precisely, up to the requirement itself…

(24 Nov '11, 07:38) mitu