Packet Capture Techniques Paul Offord, Advance7

Similar documents
Enhancing Cisco Networks with Gigamon // White Paper

Microsoft SQL Server 2012 on Cisco UCS with iscsi-based Storage Access in VMware ESX Virtualization Environment: Performance Study

How to monitor network traffic inside an ESXi host

How To Set Up A Virtual Network On Vsphere (Vsphere) On A 2Nd Generation Vmkernel (Vklan) On An Ipv5 Vklan (Vmklan)

Ixia Phantom vtap. Overview. Virtual Taps Phantom Monitoring Solution DATA SHEET

Network Agent Quick Start

Enhancing Cisco Networks with Gigamon // White Paper

End-to-End Visibility

vsphere Networking vsphere 5.5 ESXi 5.5 vcenter Server 5.5 EN

vsphere Networking vsphere 6.0 ESXi 6.0 vcenter Server 6.0 EN

Juniper / Cisco Interoperability Tests. August 2014

Running a VSM and VEM on the Same Host

Network Troubleshooting & Configuration in vsphere VMware Inc. All rights reserved

Install Guide for JunosV Wireless LAN Controller

Aerohive Networks Inc. Free Bonjour Gateway FAQ

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

Packet Optimization & Visibility with Wireshark and PCAPs. Gordon Beith Director of Product Management VSS Monitoring

Configuring Local SPAN and ERSPAN

vsphere Networking ESXi 5.0 vcenter Server 5.0 EN

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

Deploying 10 Gigabit Ethernet on VMware vsphere 4.0 with Cisco Nexus 1000V and VMware vnetwork Standard and Distributed Switches - Version 1.

Network Virtualization

Performance Evaluation of Linux Bridge

Dell PowerEdge Blades Outperform Cisco UCS in East-West Network Performance

Broadcom Ethernet Network Controller Enhanced Virtualization Functionality

VMware ESX Server Q VLAN Solutions W H I T E P A P E R

Monitoring VMware ESX Virtual Switches

What s New in VMware vsphere 5.5 Networking

Wireshark vs. The Cloud :

Wireshark in a Multi-Core Environment Using Hardware Acceleration Presenter: Pete Sanders, Napatech Inc. Sharkfest 2009 Stanford University

VMware vsphere 5.0 Evaluation Guide

VXLAN: Scaling Data Center Capacity. White Paper

Course Contents CCNP (CISco certified network professional)

Expert Reference Series of White Papers. VMware vsphere Distributed Switches

Ethernet Fabric Requirements for FCoE in the Data Center

Set Up a VM-Series Firewall on an ESXi Server

VXLAN Bridging & Routing

Traffic Mirroring Commands on the Cisco ASR 9000 Series Router

Expert Reference Series of White Papers. Planning for the Redeployment of Technical Personnel in the Modern Data Center

Networking Topology For Your System

Fiber Channel Over Ethernet (FCoE)

Flow Monitor Configuration. Content CHAPTER 1 MIRROR CONFIGURATION CHAPTER 2 RSPAN CONFIGURATION CHAPTER 3 SFLOW CONFIGURATION...

Interconnecting Cisco Networking Devices: Accelerated (CCNAX) 2.0(80 Hs) 1-Interconnecting Cisco Networking Devices Part 1 (40 Hs)

VMware Virtual SAN 6.2 Network Design Guide

VMware Virtual SAN Network Design Guide TECHNICAL WHITE PAPER

How to Create VLANs Within a Virtual Switch in VMware ESXi

Nutanix Tech Note. VMware vsphere Networking on Nutanix

Cisco Discovery 3: Introducing Routing and Switching in the Enterprise hours teaching time

Configuring Virtual Switches for Use with PVS. February 7, 2014 (Revision 1)

Cisco Networking Professional-6Months Project Based Training

Cisco - Catalyst 2950 Series Switches Quality of Service (QoS) FAQ

Data Center Infrastructure of the future. Alexei Agueev, Systems Engineer

Smart Network Access System SmartNA 10 Gigabit Aggregating Filtering TAP

Installing and Using Wireshark for Capturing Network Traffic

The Future of Computing Cisco Unified Computing System. Markus Kunstmann Channels Systems Engineer

Virtualized Access Layer. Petr Grygárek

UCS Network Utilization Monitoring: Configuration and Best Practice

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Juniper Networks EX Series/ Cisco Catalyst Interoperability Test Results. May 1, 2009

Configuring Static and Dynamic NAT Simultaneously

HP Virtual Connect Ethernet Cookbook: Single and Multi Enclosure Domain (Stacked) Scenarios

Where IT perceptions are reality. Test Report. OCe14000 Performance. Featuring Emulex OCe14102 Network Adapters Emulex XE100 Offload Engine

Enabling Visibility for Wireshark across Physical, Virtual and SDN. Patrick Leong, CTO Gigamon

Choosing Tap or SPAN for Data Center Monitoring

Virtualization: TCP/IP Performance Management in a Virtualized Environment Orlando Share Session 9308

CCNA R&S: Introduction to Networks. Chapter 5: Ethernet

Solutions Guide End-to-End Visibility for Your Cisco Infrastructure

Alexander Paul IBM Certified Advanced Technical Expert (C.A.T.E.) for Power Systems Certified Cisco Systems Instructor CCSI #32044

Validating Long-distance VMware vmotion

VMware NSX Network Virtualization Design Guide. Deploying VMware NSX with Cisco UCS and Nexus 7000

NETFORT LANGUARDIAN INSTALLING LANGUARDIAN ON MICROSOFT HYPER V

AlliedWare Plus OS How To Use sflow in a Network

Cisco Certified Network Associate Exam. Operation of IP Data Networks. LAN Switching Technologies. IP addressing (IPv4 / IPv6)

Next Gen Data Center. KwaiSeng Consulting Systems Engineer

Reference Design: Deploying NSX for vsphere with Cisco UCS and Nexus 9000 Switch Infrastructure TECHNICAL WHITE PAPER

Leased Line + Remote Dial-in connectivity

Flow Monitor Configuration. Content CHAPTER 1 MIRROR CONFIGURATION CHAPTER 2 SFLOW CONFIGURATION CHAPTER 3 RSPAN CONFIGURATION...

Network Configuration Example

COURSE AGENDA. Lessons - CCNA. CCNA & CCNP - Online Course Agenda. Lesson 1: Internetworking. Lesson 2: Fundamentals of Networking

Session Title: Exploring Packet Tracer v5.3 IP Telephony & CME. Scenario

Question: 3 When using Application Intelligence, Server Time may be defined as.

Traffic Mirroring Commands on the Cisco IOS XR Software

Configuring iscsi Multipath

Packet Matching. Paul Offord, Advance7

How To Orchestrate The Clouddusing Network With Andn

Securing Networks with PIX and ASA

Hyper-V R2: What's New?

Set Up a VM-Series Firewall on the Citrix SDX Server

Configure IOS Catalyst Switches to Connect Cisco IP Phones Configuration Example

I1: Best Practices for Packet Collection, Aggregation & Distribution in the Enterprise

Management Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version Rev.

NetFlow-Lite offers network administrators and engineers the following capabilities:

Course. Contact us at: Information 1/8. Introducing Cisco Data Center Networking No. Days: 4. Course Code

IP SAN BEST PRACTICES

VM-Series Firewall Deployment Tech Note PAN-OS 5.0

VLANs. Application Note

Lab Testing Summary Report

Transcription:

Packet Capture Techniques Paul Offord, Advance7

Groups of capture techniques Directly from the user PC or on a server Based on switch capabilities Via purpose-built devices In a virtual environment

On The Client: Topology Network Server PC

Wireshark executables Start Wireshark Start a capture

Very Large Frames

TCP Segmentation Offload Process NIC PC or Server T C P I P D r i v e r T C P I P E t h Ethernet Switch PC or Server L = 5 KB L = 1,518 bytes Without Large Receive Offload (LRO) L = 1,518 bytes L = 1,518 bytes L = 798 bytes May be bigger than Jumbo Frame (>9,000 bytes MTU) L = 1,518 bytes L = 1,518 bytes L = 1,518 bytes L = 1,518 bytes

On The Client: Advantages Easy to achieve Zero disruption to services Capture wireless traffic Capture VPN traffic inside the tunnel

On The Client: Considerations TCP Seg. Offload can be confusing Disk contention may cause lost packets Potential performance hit when saving to C: - Page files, EXEs, DLL, Memory Mapped Files - Consider USB drive Use dumpcap for long-term captures

On The Server: Topology Network Server PC Use dumpcap

Discovering unknown interactions Network Another server Server PC

On The Server: Advantages Relatively easy to achieve Minimal disruption to services - Change Request probably needed All client traffic visible All interactions with other services visible Blade and VM east-west traffic visible

On The Server: Considerations TCP Seg. Offload can be confusing Volume of data higher than client-side capture Save to a dedicated volume - Not to C: drive, database log vols, etc. - USB drives work well Use dumpcap not tshark or Wireshark Care needed when teaming used Intra-OS tracing not possible on Windows - Loopback adapter not the same as Linux

Via loopback Linux OS App Server Database Server dumpcap Source and destination IP address is 127.0.0.1 use TCP port number to determine packet direction

RawCap Windows OS App Server Database Server RawCap Produces PCAP files IPv4 only Windows 2008 r2 onwards

Time for Questions

SPAN-Monitor-Mirror: Topology Source Port Switch Destination Port Capture Server Network Cisco monitor session Juniper - set ethernet-switching options analyzer PC

SPAN-Monitor-Mirror: Uplink Capture Switch Network N Voice VLAN Server VLAN W E PC to any server No server to server Phone to IPT No IPT to IPT IPT System Servers S

SPAN-Monitor-Mirror: VLAN Capture Network Switch PC to any server Server to server Voice VLAN Server VLAN Packets flowing North-South will appear in the capture twice (flagged as Dup s) No IPT No IPT to IPT IPT System Servers

Asymmetric WAN Routing Gotcha S HSRP / VRRP Pair P Core Switch Core Switch Router User VLANs WAN transit VLAN Server VLAN Switch Svr Svr Svr Svr

Teaming (LBFO) Network Switch A Switch B Team Server Options: - Active/standby - Generic or static teaming (IEEE 802.3ad) - Dynamic teaming (IEEE 802.1ax, LACP) Always capture both interfaces!

Teaming: Switch independent mode Network Switch A Switch B Team Server

SPAN-Monitor-Mirror: Advantages Easy to configure Low risk non-invasive Multiple sources into one destination Entire VLANs can be monitored - Need to monitor on each switch - May see duplicates Negligible impact on the switch

SPAN-Monitor-Mirror: VLAN Gotcha Switch A VLAN 130 Switch B Capture Server PC This won t work!

SPAN-Monitor-Mirror: 2-into-1 Source Port Destination Port Rx - 1Gbps Monitor - 2Gbps (switch Tx) Tx - 1Gbps

Cut-through switches Nexus Switch Ethernet IP TCP In theory, the switch just needs to see the DMAC address. In practice it uses more so that it can support ACLs etc.

Virtual Output Queues Nexus Switch Ingress port VOQ Egress port

Cisco Nexus Back-pressure Gotcha Nexus Switch Ingress port VOQ monitor source Queuing due to monitor destination port congestion monitor destination

SPAN Rate Limiting Configuring the Rate Limit for SPAN Traffic By configuring a rate limit for SPAN traffic to 1Gbps across the entire monitor session, you can avoid impacting the monitored production traffic. For Nexus 5000 series switches: When spanning more than 1Gbps to a 1 Gb SPAN destination interface, SPAN source traffic will not drop. When spanning more than 6 Gbps (but less than 10Gbps) to a 10Gb SPAN destination interface, the SPAN traffic is limited to 1Gbps even though the destination/sniffer is capable of 10Gbps. On the Nexus 5500 series, SPAN traffic is rate-limited to 1Gbps by default so the switchport monitor rate-limit 1G interface command is not supported. Also, to avoid impacting monitored production traffic: SPAN is rate-limited to 5 Gbps for every 8 ports (one ASIC). Different rules and RX-SPAN is rate-limited to 0.71 Gbps per port when the RX-traffic on the commands port exceeds for 5 Gbps. Nexus 7000

SPAN-Monitor-Mirror: Considerations Overload of the monitor destination Back-pressure on source port (Cisco Nexus) - Alleviated using source rate limiting Limited number of monitor sessions Requires a spare switch port for destination Makes and models vary -> review first

Cisco ACL / VACL: Topology ACL Access Control List VACL VLAN Access Control List Match a packet to criteria Switch Take an action Capture Server PC

Cisco ACL / VACL: Advantages VACL Capture on Catalyst ACL Capture on Nexus Similar to monitor/mirror but also Wide range of monitor criteria - IP addresses, port numbers, etc. - Helps avoid destination overload More sessions possible Is this the future for capture on Cisco?

Cisco ACL / VACL: Considerations As per monitor/mirror plus Complicated to configure Greater risk of a mistake and so production impact Risk of not capturing the expected traffic

Time for Questions

Blade Enclosure: Front

Blade Enclosure: Rear

Blade Enclosure: Topology Chassis Blade Blade Blade App Server DB Server File Server Capture Enclosure Switch Network

Blade Enclosure Alternative Chassis Blade Blade Blade App Server DB Server Enclosure Switch Network

Blade enclosure: Advantages Easy to configure Low risk non-invasive Multiple sources into one destination Often entire VLANs can be monitored - Need to monitor on each switch - May see duplicates Negligible impact on the switch

Blade enclosure: Considerations Overload of the monitor destination Limited number of monitor sessions Requires a spare switch port for destination - Often all external ports are in use Makes and models vary -> review first

Cisco UCS Fabric Interconnect Storage UCS Interconnect Switch FCoE Limited to 1Gbps Server Capture

Cisco UCS Fabric Interconnect Storage UCS Interconnect Switch Ethernet Limited to 1Gbps Server Capture

UCS Fab Interconnect: Advantages Quick and easy to configure Visibility to East-West traffic Monitor multiple source Monitor VLANs Capture storage traffic (FCoE)

UCS Fab Interconnect: Considerations Monitoring limited to 1Gbps - This probably negates the storage trace capability Monitor src and dst must be on same FI Limit of two monitor sessions

Time for Questions

TAP Non-aggregator Tap Aggregator Tap Switch Switch Capture TAP Server Capture TAP Server

TAP: Advantages Reduces risk of dropped packets Captures all information including physical errors Totally passive Will not affect host performance

TAP: Considerations Need to break network link to install More expensive Less flexible Non-aggregators require two capture ports Aggregators suffer 2-into-1 problem

Network Packet Broker Filter Slice Timestamp De-dup Many-to-many NPB SPAN Monitor Mirror TAP Other Sources

Time for Questions

ESX vswitch Promiscuous Mode ESX Host VM VM VM PC App Server DB Server vanalyser (dumpcap) WTS or vsphere Client vswitch Network

Promiscuous Mode: Advantages Minimal disruption to services - Change Request probably needed Can capture all intra-vswitch traffic - East-West

Promiscuous Mode: Considerations vanalyser VM required Care regarding destination of trace data - Not to sensitive volumes Anecdote that causes high CPU load - This has not been our experience Capture will not follow vmotioned guest

Hyper-V Monitor Port Hyper-V VM VM VM PC App Server DB Server vanalyser (dumpcap) WTS Client RDP vswitch Network

Hyper-V Monitor Port: Advantages Similar to monitor/mirror on a physical switch Minimal disruption to services - Change Request probably needed Can capture all intra-vswitch traffic - East-West

Hyper-V Monitor Port: Considerations vanalyser required Care regarding destination of trace data - Not to sensitive volumes

Ixia Phantom vtap ESX / Hyper-V / XenServer VM VM VM Capture App Server Web Server vtap Mgmt vswitch GRE Terminator Network

Ixia Phantom Tap: Advantages No software required on VM s No impact to VM performance vtap can capture all vswitch traffic Or can capture specific traffic Works on the leading hypervisors Can track a VM thru ESX vmotion

Ixia Phantom Tap: Considerations vtap Management VM on each host Annual subscription for each physical host Sensitive to vtap Mgmt. VM performance

Further information Paul Offord FBCS CITP Mobile: +44 1279 211 668 Email: paul.offord@advance7.com Web: www.advance7.com LinkedIn Communities TribeLab - Free tutorials - Free guides - Free resources

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information