The alternative approach of physically attaching a probe to a SPAN/Mirror port is becoming much less feasible with increasing network sizes (10's of thousands of switch ports) and link speeds (10, 40 and 100 Gigabits). With sFlow, any link or group of links can be remotely monitored. The sFlow standard is widely supported by switch vendors, embedding wire-speed packet monitoring throughout the network. Why use sFlow for packet analysis? To rephrase the Heineken slogan, sFlow reaches the parts of the network that other technologies cannot reach. The protocol analysis capabilities of Wireshark complement the network-wide visibility provided by an sFlow analyzer, extracting additional details that are useful for troubleshooting. Wireshark's interactive filtering and browsing capabilities, combined with an extensive library of protocol decodes, provides the detail needed to diagnose network problems using packet headers captured by switches using sFlow. The article CaptureSetup/Pipes describes how Wireshark can be configured to receive packets on a pipe. Alternatively, if sFlow is already being used for network-wide visibility then obtaining an sFlow feed can be as simple as directing the sFlow analyzer to forward sFlow to Wireshark. The first step is to configure the network switches to monitor selected links and send sFlow to the host that will be used for packet analysis - configuration instructions for most switch vendors are available on this blog. For background, the article Packet capture describes some of the reasons why the multi-vendor sFlow standard should be considered as an option for packet capture, particularly in high-speed, switched Ethernet, environments. This article will demonstrate how Wireshark can be used with sFlow to remotely capture traffic. Wireshark (previously called Ethereal) is a popular, free, open source protocol analyzer.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |