Hi Everyone, My goal is to acquire a realitively inexpensive tap solution that will allow me to pickup ALL FRAMES as well as packets using wire shark and 2 dedicated network interface cards on the TX and RX traffic up to gigabit speed. My goal is to read Accurate Delta times between TCP handshakes and I believe the following TAP I have will be a viable option for a TAP to serve this purpose. It's a passive tap made by a bought out company called "NetOptics" Model: TP-CU3 Here's the specs. I also plan to combine this specific TAP with a USB 3.0 Dual Port Gigabit Ethernet Adapter to my laptop. Can someone with experience using wireshark and the proposed solution please confirm if this configuration will allow me to obtain my goal or guide me to a better solution?? Thanks in advance, Joe Any suggestions much appreciated. asked 16 Dec '15, 06:46  candulj edited 16 Dec '15, 06:52  grahamb ♦ |
2 Answers:
If you're looking for a portable solution you you might want to check out ProfiShark, which does aggregated Gigabit captures with notebook connectivity via USB3. It's probably more expensive than the TP-CU3 though. An alternative to the Netoptics TAP (which is kinda noisy and does breakout only) is the Garland P1GCCA, which has dip switches allowing it to do either breakout, aggregation or SPAN regeneration. It is fanless and completely quiet, but a bit more expensive than the Netopics TAP. The primary question is probably the performance of the USB3 dual port ethernet adapter. In theory it should be fast enough to capture all packets, but most tests have shown that standard PC network cards often still drop packets (this is a problem the Profishark doesn't have). So while either Netoptics and Garland TAP are going to work just fine, the performance of the network card is going to the key factor. You should try to test it before deciding on the TAP if you can. answered 16 Dec '15, 07:54  Jasper ♦♦ |
Hi Joe, the tap seems fine in terms that if it introduces any measurable delay, it is a determinable and fixed one (the "Zero Delay" comes out to be just a marketing name based on an unrelated feature). You should be much more concerned about the accuracy of timestamp assignment at the side of your laptop. I mean accuracy, not resolution, because the time of arrival of the packet is one thing and the time when the kernel learns about the arrival is a different one, and the delay between the two is very likely to be variable and depend on load of your notebook, architecture of the dual-NIC adaptor (like e.g. raising of a single interrupt for several packets which have arrived "almost simultaneously", delays caused by the USB overhead etc and dependent on the "phase" of the USB frame at the moment the packet has arrived) But first of all and something which is intrinsic to any dual-port NIC over USB: if two packets, overlapping each other in time, arrive each to another GigE port of your dual-port NIC, the one which started arriving second will have to wait until the first one will have been transmitted to the laptop completely - because there is only a single channel available in the USB cable and they have to time-share it. To me, "precise timing" in the same sentence with "USB" and/or "laptop" simply sounds like dry water, sorry. If you are really that much after precise timing, you'll need a dedicated hardware for that purpose, which has been designed without bottlenecks and with hardware timestamping. answered 16 Dec '15, 08:06  sindy edited 16 Dec '15, 08:09 |
Much appreciate your invaluable feedback. Bottom line is I'll have to make due with what I have until I can find something that will provide me with the ROI I expect. J
You might want to have a look at a few words I wrote down about the ProfiShark 1G that Jasper mentioned: https://wireshark.no/index.php/2017/01/06/profishark-1g-a-1-gigabit-network-tap-from-profitap/