Ok, I have a question on this...I am recommending to my bosses that they invest in a tap. Ok, all is well in the land of milk and honey and I get 3/4 to use in the enterprise. But, I still need a capture tool/pc/laptop to plug into the tap to capture that traffic without dropping packets. What do people use? I've seen presentations from sharkfest about how poorly laptops perform, what do people use?? asked 28 Feb '14, 19:12  RTJ10 |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
What are your requirements? 100Mbit/s, 1Gbit/s, 10Gbit/s? Do you need the full traffic, or just some 'streams'? The full payload vor just the headers?
I have a dedicated capture device, like a riverbed though not from them, that does 10 Gbits, but it's of course, not at the server. And it only does Headers, or Headers + 8192. But I am not sure if its a problem with the device, or how it tries to determine whats a "header" because the SMB/SMB2 stuff seems to go missing, at least the details. So I need something that can do 1 Gbit, move around as needed and not worry about packet loss. I've been doing captures on the server(s) directly but always seem to run into issues getting a clean trace. And I am trying to trouble shoot a file transfer issue between windows servers and its been a pain due to packet loss.
O.K. so, you need something with a 1 Gibt/s interface, or with 2 x 1 Gibt/s interface if you want to capture Full-Duplex on a TAP. The later will be hard to accomplish for a Laptop, as you won't find any Laptop with two network interfaces, attached directly to the PCI bus of the motherboard. There are dual port expresscard NICs, but I doubt that they will really operate at 2 x 1 Gbit/s (limited by the Expresscard throughput). Of course you could use one onboard NIC and the second through Expresscard ;-)
So, the big question is: Do you really need that? Wouldn't a switch with port mirroring be sufficient in your environment? If no: why?
Then some questions you did not yet answer: