Network
Analysis in a 10/100Mbps Full
Duplex Environment
Analyzing
a full-duplex 10/100Mbps
Ethernet network is a little
different from traditional
half-duplex Ethernet
environments. Consider the five
guidelines below in your search
for the best solution.
1)
If you quick-configure your
Windows 2000-based laptop
network analyzer Pro so the
TCP/IP stack is disabled, then
it will function as a
receive-only network analyzer -
the ideal situation. Data will
be received on pins 3 and 6
(receive pair) from the switch
or node but no data will be sent
on pins 1 and 2 (transmit pair).
2)
If you wish to analyze a
particular node or server via
it's switch port, SPANning or
mirroring the port will present
you with half-duplex or
full-duplex data, dependent upon
the switch configuration
capabilities. There are a few
caveats associated with
"spanning" a port:
i)
The timestamp
that your analyzer adds to
each received frame will not
necessarily be the exact
timestamp of the frame that
egressed the port; it will be
the timestamp of the received
frame copy.
ii)
All of the data (egress
and ingress) is copied to the
switch port on your aalyzer’s
input port so it is not able to
assign direction indicators of
[A] and [B] indicating egress
and ingress, respectively.
iii)
If the original port that is
being spanned has defective
circuitry or cabling and is
subsequently trashing frames,
these defects will not show up
on your analyzer because the
switch is spanning a copy of the
frame queued on the port - not
the actual egressing frame
itself.
iv)
Capturing data from a
spanned or mirrored port or VLAN
is akin to "analyzing by
rumor". A better method
would be an intrusive
connection.
3)
The Xircom laptop card, like
most NICs, has only a single
port. Thus it is not possible to
connect an analyzer between
the switch port and the target
device, i.e. a client, a server,
another switch, etc. A good
solution is to use a desktop or
portable (non-laptop) analyzer
with the special dual-port
full-duplex 10/100Mbps NIC. In
this scenario, the analyzer can
be injected between the two
devices, i.e. switches. The
egress port of one switch can be
connected to the upper NIC port
and the ingress port of the
other switch can be connected to
the lower NIC port. Do note that
you will have to break the link
between the two switches to make
the connection. A better
solution would be to install a
tap on the most important
switch-to-switch links. That
means you could attach the
dual-port analyzer to the
dual-port tap between the
switches whenever required
without disrupting the
connection (the only disruption
would be the initial tap
installation, of course). The
upper analyzer cable port would
be connected to Monitor A port
on the tap, and the lower
analyzer cable port would be
connected to Monitor B port on
the tap.
4)
If you do not have the special
dual-port NIC and are
constrained to using a laptop,
all hope is not lost. You can
still use your laptop analyzer
but you will need two Xircom
CBE2 NICs. (Don't use any other
NIC, as only the CBE2 drivers
will reliably provide you with
defective Ethernet frames if
they exist on the network.) To
use a laptop to analyze a full
duplex connection requires that
you run two instances of your
analyzer. v4.7.5 currently
does not support two
simultaneous instances of the
analyzer application so we
recommend using two analyzers,
each with a Xircom NIC. One of
the laptops could connect to the
tap's Monitor A port and the
other laptop could connect to
the tap's Monitor B port. Is
this an ideal situation?
Far from it, but it will quickly
show you the direction of
defective frames present on the
link. Are there caveats to this
arrangement? Yes, they are:
i)
Trace
alignment can be somewhat
difficult unless you quick
filter on the TCP socket.
ii)
Taps are the least
expensive and disruptive
solution for intrusive
investigations. If you have a
large number of switch links,
consider putting them only on
the most important ones.
iii)
v4.7.5
does not support more than one
instance of the network analyzer
running simultaneously.
Workaround: use a single Xircom
NIC that you can move from the
tap’s Monitor A port to
Monitor B port looking for the
defective switch port emitting
the defective Ethernet frames.
5)
The best choice is to use the
Full-Duplex solution for your
analyzer. It comes as an
appliance as a Dolch PC loaded
with the OS, v4.7.5 of the
software, and the dual-port FDX
card fully loaded, configured,
and ready to use. Again,
consider attaching the analyzer’s
two cables to the two-10/100Mbps
Ethernet tap Monitor ports
instead of “going intrusive”;
it’s the least disruptive
solution.
Sniffer,
Sniffer Pro, and DSPro are
trademarks of Network Associates
Inc.