Getting down to troubleshooting lower level networking issues has generally involved configuring a port on a managed network switch to be a SPAN/Mirror port. This would only be possible on a managed network switch which tends to be larger rackmount switches and generally more expensive. Not something you see in smaller network infrastructures. It also involves getting assistance from the network admin.
NetGear now has a “Plus” version of the network switches. Take the NetGear GS105E as an example. This very small footprint 5-port switch has a durable metal case, supports Gigabit Ethernet on all ports, and is “manageable” using the NetGear ProSafe Plus Utility. The best part, it is only $60 usd and supports port mirroring.
Out of the box, it supports DHCP for its management IP though you can configure a static IP.
I recommend you use the ProSafe Plus Utility once to configure one port to mirror another, then label the top of the switch so you don’t forget. Now don’t worry about needing the utility anymore, just keep this little switch in your “toolkit” and you can easily introduce a sniffer into any network connection you need to troubleshoot.
If you have a laptop running Wireshark, you can connect your laptop directly to the monitoring port on the GS105E. You will need get a copy of all traffic that is being monitored. When done, disconnect the switch out of the picture. This does involve physically connecting and disconnecting network cables. However it is portable and doesn’t require much other coordination. It is all in your control when you are onsite and need to do some quick troubleshooting.
If you want to leave a connecting permanently being monitored, you could setup an intrusion detection system appliance easily by installing EasyIDS. This box would need 2 network cards, one to connect into the network so you can access/manage this box. The other network port goes into the monitoring switch port, typically this would be an Internet connection (the WAN side of your router/firewall).
By having this IDS always connected to your Internet connection, you now have a bunch of tools readily available should you ever need them (tcpdump, snort, netcat, ntop, arpwatch, etc). Another idea is to place it on the internal lan connection of your router/firewall, this might offer a lot of visibility into troubleshooting internet connectivity issues and also tracking usage.
Everyone has favorite tools for troubleshooting networks. Most of the time, it comes down to what is handy and accessible at the moment. If you prepare yourself ahead of time by having a pre-configured switch with a monitoring port along with the right software already installed, you’ll be able to react a lot quicker and more efficiently.
The office that I work at runs the bigger GS116E and they work like a charm. We use the ProSafe to it’s maximum potential. It does so much for us so we don’t have to.
Wireshark is an art. It’s definitely not a tool an amateur can pick up and make any real use out of asides from just poking around and getting an idea of what network traffic really looks like at a packet level.
There are numerous guides out there that can walk you through some of the more routine tasks like tracking network usage and where things are being routed, but I think you still need some technical background to make full use of it.
Well this looks like quite the efficient tool to troubleshoot my network. I like the fact that it monitors all of the traffic. I had not heard of this product before and I’ll see if my employer will purchase it. I think the features warrant a purchase but that is just my opinion. Thank you for another great tip.
The NetGear GS105E does its job without a glitch! It is inexpensive and because it supports port mirroring it is one of the best in my opinion (for this price range).
Various authorities have been using their own tinker toys and favorite tools for the purpose of traffic monitoring. Thank goodness these things that were not around before are now around. I’m impressed by what they could do for us.
This is a pretty good guide if you can’t afford packet testers or professional network diagnostic tools. For $60 compared to the $700 some packet testers can go for, this not only has more functionality but can be run on a variety of machines. Having EasyIDS running on a dedicated box is also a really good idea.