quick network engineering review question
Gerald Combs
gerald at ethereal.com
Thu Jun 2 13:47:00 CDT 2005
David Nicol wrote:
> I want to sniff all traffic on the upstream link at my installation. I have a
> wire that comes into my cisco router from the CSU/DSU. The question is,
> is this wire a normal ethernet wire, so that I could plug it into a hub and plug
> the hub into the Cisco, that is, put a hub in line with it, or is it something
> else?
>
> I already have the crossover cable for the new connection, if plugging the
> CSU/DSU wire into a hub is in fact copasetic.
If your upstream connection is cable, DSL, or some sort of metropolitan
area Ethernet service (e.g. GigaMAN), then this would probably work.
You say you have a CSU/DSU however, so I'm assuming your upstream is a
T1 of some sort.
Unfortunately, trying to capture T1 traffic with Ethernet equipment
won't work. The signaling used by CSU/DSUs is incompatible with
Ethernet -- the frequencies, encodings, and algorithms are completely
different. The plugs and (I think) pinouts are the same, but that's
about it. Capturing data directly from a T1 requires expensive
equipment from places like Network General or GL Communications.
Capturing data on the LAN side of your router is much cheaper and
easier. The Ethereal wiki has a page on Ethernet capture at
http://wiki.ethereal.com/CaptureSetup_2fEthernet
Depending on your network you might have to apply some sort of capture
filter to make sure you only catch data to and from your upstream
connection. Something like
ether host nn:nn:nn:nn:nn:nn and not ip host x.x.x.x \
and not broadcast and not multicast
where nn:nn:nn:nn:nn:nn is the MAC address of your router's Ethernet
port and x.x.x.x is the IP address of your router's Ethernet port should
work.
More information about the Kclug
mailing list