This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Ok, I have a question on this...I am recommending to my bosses that they invest in a tap. Ok, all is well in the land of milk and honey and I get 3/4 to use in the enterprise. But, I still need a capture tool/pc/laptop to plug into the tap to capture that traffic without dropping packets. What do people use? I've seen presentations from sharkfest about how poorly laptops perform, what do people use??

asked 28 Feb '14, 19:12

RTJ10's gravatar image

RTJ10
16449
accept rate: 0%

What are your requirements? 100Mbit/s, 1Gbit/s, 10Gbit/s? Do you need the full traffic, or just some 'streams'? The full payload vor just the headers?

(28 Feb '14, 23:45) Kurt Knochner ♦

I have a dedicated capture device, like a riverbed though not from them, that does 10 Gbits, but it's of course, not at the server. And it only does Headers, or Headers + 8192. But I am not sure if its a problem with the device, or how it tries to determine whats a "header" because the SMB/SMB2 stuff seems to go missing, at least the details. So I need something that can do 1 Gbit, move around as needed and not worry about packet loss. I've been doing captures on the server(s) directly but always seem to run into issues getting a clean trace. And I am trying to trouble shoot a file transfer issue between windows servers and its been a pain due to packet loss.

(03 Mar '14, 06:20) RTJ10

O.K. so, you need something with a 1 Gibt/s interface, or with 2 x 1 Gibt/s interface if you want to capture Full-Duplex on a TAP. The later will be hard to accomplish for a Laptop, as you won't find any Laptop with two network interfaces, attached directly to the PCI bus of the motherboard. There are dual port expresscard NICs, but I doubt that they will really operate at 2 x 1 Gbit/s (limited by the Expresscard throughput). Of course you could use one onboard NIC and the second through Expresscard ;-)

So, the big question is: Do you really need that? Wouldn't a switch with port mirroring be sufficient in your environment? If no: why?

Then some questions you did not yet answer:

  • do you need the full traffic, or just the communication between two (or more) systems, meaning: can you work with capture filters
  • do you need the full payload
  • did you enable Jumbo Frames on the switches and servers
(03 Mar '14, 15:10) Kurt Knochner ♦
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×549
×61
×40

question asked: 28 Feb '14, 19:12

question was seen: 4,071 times

last updated: 03 Mar '14, 15:13

p​o​w​e​r​e​d by O​S​Q​A