Wandering Thoughts archives

2008-10-28

One reason why people buy Ethernet taps

There are a number of people who will sell you rather expensive network tap boxes (eg here). Since hearing about them and discovering the actual prices, I've felt that traffic monitoring switches with mirroring ports (despite the VLAN issue) and dual-NIC PCs running bridging software made them pointless except for people with very high end needs; they were neat in a theoretical way, but not something we would ever need in practice, since the alternatives were perfectly good.

(There is a lot of elaborate equipment that would be cool to have around but I must reluctantly admit we don't exactly need.)

Let me retract that blithely optimistic view of mine.

We have lately been attempting to debug a switch issue involving performance problems with traffic between a 100 mbit machine and a gigabit machine, and we think that part of the problem may be related to inter-switch flow control issues (specifically, who does it when). As we've been discovering, the problem with monitoring switches and bridges is that they are not completely transparent; both switches and bridges change the layer 2 behavior of the network, things like how pause frames or STP broadcasts are handled, and often at a level that's too low for you to really monitor or influence.

(At least some switches generate or don't generate pause frames on links based on low-level negotiations with whatever is on the other end of the link; put a bridge in, and you may have just changed what gets negotiated. Plus, pause frames do not pass through bridges, or at least not through the bridge implementations that we've been trying to use.)

Most of the time this doesn't matter and you don't think about it. But right now this matters quite a lot to us, and it has been very frustrating to find out that there is basically nothing we can do to monitor our testing to find out what is going on, because anything we add to the test environment changes the behavior (or at least could be doing so, which means that we can't trust the results).

Let me tell you, network taps are looking awfully tempting right about now. (We probably still can't justify the expense, though; this is hopefully a one-time problem.)

sysadmin/TheNeedForNetworkTaps written at 01:22:38; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.