|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Through all the playing around I've done with network monitoring, I
never tried ntop. I read an article on it and thought it might be an
interesting idea.
I got it working but it's of limited use on a switched network. I hate
that. The results were cool enough to want to see them for the whole
network so I put on my spelunking helmet and navigated the dark caverns
of switch documentation, in search of how to mirror ports.
A well-meaning coworker said that it would probably just be on the
switch's http page. And it was, if I wanted to mirror a port on a
Netgear switch. Unfortunately the one I wanted to mirror was on a ....
[insert dramatic music]
CISCO switch.
At this point my helmet with 15 element high intensity LEDs felt
strangely inadequate. I began to shake uncontrollably. My coworkers
asked about the near silent sobs.
But WAIT!
Cisco has a graphical assistant that will help.
Now where is it?
I have no idea. I have the attention span of a pregnant gnat.
Screw it - off to Cisco.com, where they have it.
And they want you to log in. Simply spending thousands of dollars on a
switch is not sufficient: you have to LOG IN too.
What I didn't realize was that I had outsmarted myself by putting the
client in the CISCO folder of our utilities drive. Of course I didn't
realize it- I wasn't smart enough.
The HEAVY CLIENT installed and there I was, looking at it, with no
apparent selection for what I wanted to do. I looked up MIRRORING and
found nothing. I looked up all sorts of things and found nothing. I
finally Google'd it and realized why I couldn't find it: we work in the
MIS Tower of Babble, wherein no two functions on different brands are
named the same thing.
If you're using a Netgear switch, you need to MIRROR ports.
If you're using a Cisco switch, you need to SPAN ports.
If you're using a 3com switch, it's just called BARBARA.
Very shortly manufacturers will begin ensuring that NO parts share
common names. If you're looking at a port...
on Netgear, it's called a PORT.
on Cisco, it's called an INDIVIDUAL ETHERNET OUTLET.
on 3com, it's called a HERRING.
Going back to the Cisco Heavy Client, I looked up SPANNING, which
provided damn near sixty percent of the answer. I understand that after
this version of help came out it was immediately recalled because Cisco
thought that providing sixty percent of an answer was giving away the farm.
I can just hear those of you with Cisco certs saying that Cisco merely
wants to make certain I *really* want to accomplish something. If I'm
truly serious, I'll go to the trouble of learning how to do it at the CLI.
Oddly enough, any search result I clicked on provided 100% of the answer
(so long as the link wasn't to cisco.com). I even found out that you
can mirror/span more than one port. My only problem was whether or not
my egress needed to be forwarded, encrypted, or put on a VLAN and hung
out like laundry for everyone to see. I took a random guess and alerted
my coworkers to be on the lookout for internet outages (yes, that was
the port I was mirroring/spanning/barbara).
For some reason I still don't understand, it worked. The great thing
about Egress Guessing is that it MUST be the right answer, as there are
results. If I saw no ntop activity, I'd know I made the wrong Egress Guess.
It's shooting out results faster than Obama shoots out trillion-dollar
handout packages. I'm waiting for the Big Test, which is when people
start downloading Beyonce videos en-masse. Or when April Autism kicks
in and everybody starts streaming the badminton playoff videos.
The most baffling thing is ntop's steadfast refusal to *stop* working
for no apparent reason. This always leaves me waiting for the other
herring to drop.
--
ThermionicEmissions - the blog
http://www.lockergnome.com/leftystrat
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|