Home page logo
/

wireshark logo Wireshark mailing list archives

Re: How to build a 10Gbe test environment and monitor it with Wireshark?
From: Patrick Klos <patrick () klos com>
Date: Tue, 02 Apr 2013 11:47:25 -0400

David Aldrich wrote:
Hi Patrick

Thanks very much for your reply.

You're welcome.

Typically, monitoring a 10Gb link involves using a tap (or a switch with a SPAN port). Are you using copper or fiber?

I don't know which to choose.  The cable length will be <5m.  Which would you suggest?

Well, if you're only testing in the lab between these 2 machine (and you'll run Wireshark on one of them), you can save a lot of money by just using a direct attach cable like this one:

http://www.cablesondemand.com/product/SF-SFPP2EPASS-002/URvars/Items/Library/InfoManage/.htm

(I'm not endorsing this company - they just happened to show up early in the search list)

It's basically a cable with an SFP+ permanently attached at each end. I used a cable like that when I was writing drivers for some 10G cards. A lot cheaper than buying fiber or copper SFP+'s, cables and possibly a switch or tap.

Depending on the load you expect on the 10Gb link, you might even need a filtering tap.

It seems that a tap is just a switch with a montoring port. Am I correct?

Sometimes yes, sometimes no. Taps can have all kinds of features that you won't typically see in a switch with a monitoring port. In the simplest sense, they can be quite similar.

If you have a decent tap and can filter the data you care about to less than 1Gbps, you can filter the 10G in the tap and feed it to your Wireshark system over a 1G link.

I had thought of just running Wireshark on the same PC as the test application. Then I wouldn't need a tap.

Sure. That should work just fine unless you're looking for something that's timing or performance dependent? (meaning that running Wireshark on the same machine could effect the timing issue you're trying to debug)

But perhaps I should run it on a separate PC and then will need a tap.

How would that help if the previous scenario provided you the capabilities you need? What would this setup give you that the previous setup couldn't? It's a matter of cost versus functionality.

Windows systems usually have more overhead than allowed for effective high bandwidth capture - I suspect you'd have better luck with the Linux base for running Wireshark on heavy loads.

Agreed - I'll use Linux.

My statement about Windows versus Linux is primarily targeted at high bandwidth situations. Are you testing performance or just functionality?

Patrick

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault