 | 1 | initial version |
Switch can be configured to mirror ingress, egress, or both directions. Copying traffic for both directions to a single port can be a problem when the traffic exceeds the port speed the traffic is being copied to. An example is mirroring port 1 (1G) to port 5 (1G). The maximum bandwidth needed is 2G because there is 1G ingress and 1G egress of traffic. This exceeds the port 5, 1G port speed and the switch will drop some of the packets.
Capturing with two network cards will work if the network cards can capture at port speed. There is an article in NetworkDataPedia by Tony Fortunato with a detail explanation.
Capturing with one or two network cards, the traffic is displayed the same. When you merge files, there isn't any way to tell what hardware was used to capture the packet because the PCAP packet header doesn't have a field to identify the capturing hardware. Most of the time this isn't an issue.
Sniffers have proprietary file format that can identify the port used to capture the packets.
| | 2 | No.2 Revision |
Switch can be configured to mirror ingress, egress, or both directions. Copying traffic for both directions to a single port can be a problem when the traffic exceeds the port speed the traffic is being copied mirrored traffic is greater than the monitoring port interface speed. The monitoring port is the port where the engineer wants to send a copy of traffic to. Basically, the monitoring port interface has to large enough to support the traffic from the mirrored-port(s).
An example is mirroring port 1 (1G) to port 5 (1G). The maximum bandwidth needed is 2G because there is 1G ingress and 1G egress of traffic. This exceeds the port 5, 1G port speed speed, and the switch will drop some of the packets.
Another issue are microbursts.
Capturing with two network cards will work if the network cards can capture at port speed. There is an article in NetworkDataPedia by Tony Fortunato with a detail explanation.
Capturing with one or two network cards, the traffic is displayed the same. When you merge files, there isn't any way to tell what hardware was used to capture the packet because the PCAP packet header doesn't have a field to identify the capturing hardware. Most of the time this isn't an issue.
Sniffers have proprietary file format that can identify the port used to capture the packets.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
