Author Profile - Betty Dubois is the Principal Consultant for DuBois Training & Consulting, LLC. She has been analyzing networks since 1997, performing fault isolations, application profiles, and network baselines for a wide variety of clients. As an Instructor for Wireshark University, she is known for her ability to make a dry, complex subject fun and interesting by using both humor and real-world examples. She has presented at Networld+Interop, and is an experienced courseware developer and marketing collateral writer.
Betty’s industry certifications include Certified Wireshark University Instructor, Wireshark Certified Network Analyst, HP ProCurve AIS, and Sniffer Certified Expert.
Review of Dualcomm Technology’s 5-Port 10/100/1000 PoE Pass-Through Port Mirroring $119.95 Switch
One of the benefits of being Wireshark University Instructor is that I get a chance to teach a wide variety of students from a vast range of companies. For years I've been talking about how important it is to capture using a Tap to achieve correct Delta times, but the pushback I've always gotten is the cost. Well thanks to one of my students, Dan Dolan, I have a new solution.
During a Core 1 class in Chicago, I was showing off my different taps and explaining how they worked. Dan wanted one until he found out their retail price. He started Googling, and found Dualcomm who at the time had only a 10/100 Port Mirroring switch. He forwarded me the link and I filed it away in the “gotta get tuit” folder. A few months later, he came to Core 2 in DC with his new switch. He had been using it at the insurance company he works for, and it had already saved him a lot of time and frustration. Now I had to have one. I contacted the company, and their newly released 10/100/1000 switch arrived a few weeks later. It was like Christmas.
What it is:
It's a 5 port 10/100/1000 switch. Port 1 is hardwired to mirror to port 5. You plug your annoying user into port 1, and the host running Wireshark into port 5. Then you plug the cable that used to connect the user to the switch into port 3. Now you can capture everything they are sending and receiving, while you are close enough to see what they are really doing. Sometimes just knowing that you can is enough to make them stop accusing your network of being slow.
Since it provides PoE Pass-Through, you can also capture at a VoIP handset or 802.11 Access Point. Just take the cable from the phone or AP and plug it into port 2, and use a new cable to connect your phone or AP to port 1.
I took this trace from a VoIP phone at our office. I found quite a few action items in this trace. For example; there are Read Errors for parts of the configuration file that the phone TFTP’s from the Call Manager, and the phone tags the packets priority 3 for SCCP and 5 for RTP, but the Call Manager’s traffic is tagged default priority 0. That is an issue when the calls have to be routed to an outside line through the Call Manager.
Why I love it:
- It’s only $120! That is low enough to get one for every Engineer on your team.
- It is small enough to fit in my purse, 5”x7”x1.25”.
- It is USB powered, so I can just plug it into my laptop while I’m capturing. It uses a 5V adapter, so I could always run to Radio Shack if I needed a regular power supply.
- It captures the 802.1Q tag, so I can see vlan numbers and priority settings.
- It has PoE pass-through so I can look at a VoIP phone or 802.11 Access Point.
- It is a lot faster to slip this inline than it is to find out which switch a host is physically attached to, get approval to change the config, hope that there is a destination port available for Wireshark, hope there isn’t the maximum number of SPAN/mirror/monitor sessions already used up, start the capture running and then go back to the user’s desk to tell them to start the test. Sure, you could have called them, but who can hear anything on their cellphone in a datacenter?
What do you have to watch for:
- You have to take a host offline to plug it into the switch.
- Since it is USB powered, you have to leave it plugged into either the test host or your Wireshark host until you are ready to take the host offline again.
- It is a switch, but does not participate in Spanning Tree. Make sure that either the uplinked switch is running Spanning Tree, or you are really careful in your cabling. Nobody wants to make a resume-generating loop on their network.
- It is still a mirror session, not a Tap. Some latency will be induced by the additional switch.
It’s perfect for the quick and dirty capture. I intend to buy a couple more. Nothing is better for troubleshooting than capturing the same data stream in multiple places to see where latency and/or packet loss is really occurring.
Editor's Note: Wireshark University classes are offered in the United States through http://www.globalknowledge.com/ and in Europe through http://www.scos.nl/. Betty will be teaching the European inaugural Wireshark University class in the Netherlands the week of May 31st. Finally. Betty's Network Mysteries Video Series can be found at http://www.wireshark.org/docs/.