Multi-Tap Network Packet Capturing

From NST Wiki
Revision as of 07:32, 7 July 2008 by Rwh (talk | contribs) (Step: 3 Start Multi-Tap Capture)
Jump to navigationJump to search

Overview

This section will demonstrate the use of Multi-Tap Network Packet Capture with NST. The NST WUI implementation supports simultaneous Packet Capture on up to 4 network interfaces (Quad Tap) per multi-tap capture session. NST uses the Wireshark network protocol analyzer suite for network packet capture. The light-weight network packet capture tool: "dumpcap" is used as the capture engine.

When capturing packets at Gigabit Ethernet rates and one needs total visibility on the link, then a passive tap is required. Net Optics, a global leader in passive monitoring, makes an excellent 10/100/1000BaseT Tap (TP-CU3) for passively allowing access to monitor GigaBit traffic.

Multi-Tap Network Packet Capture: NAT/PAT Traffic

The diagram depicted below shows an example Multi-Tap Capture Setup for monitoring GigaBit traffic across a firewall boundary. We will explore the capturing of packets as they transverse the firewall and undergo both Network and Port Address Translation.

Multi-Tap Network Packet Capture: Traffic Between Gigabit Switches

The diagram displayed below shows an example Dual-Tap Capture Setup for monitoring network traffic between 2 Gigabit switches. In this case a generic notebook computer was used and configured with 3 network interfaces (A built-in Gigabit LAN adapter, a Gigabit LAN adapter PC-Card and a built-in 802.11g/n wireless adapter for secure remote access and control of NST).

Nst dual tap networking.png


Example Multi-Tap Network Packet Capture Session: Step-By-Step

This section will demonstrate a Multi-Tap Network Packet session using 2 network interfaces (eth1 and eth2) as the target capture interfaces. We will concentrate on email traffic (POP and SMTP) for network: "172.28.8.0/24". It is assumed that the NST probe has sufficient network interface adapters (at least 2 in this case) to perform this capture. Attach these interfaces to a network tap similar diagrams shown above.

Step: 1 NST WUI Multi-Tap Network Packet Capture Page

From the NST WUI Start page go to the NST WUI Multi-Tap Network Packet Capture page. This is accomplished by using the NST WUI Menu. Go to "Networking" then "Protocol Analyzers" and then go to the "Multi-Tap Network Packet Capture" page as shown below.

Navigate To The Multi-Tap Network Packet Page

Step: 2 Multi-Tap Interfaces & Data Directory Selection

Use the navigational aid link: "Select Tap Interfaces/Directory" to go to the "Multi-Tap Interfaces & Data Directory Selection" section. This is where you select the target capture interfaces and data directory on the NST probe when you will store your multi-tap capture.

Multi-Tap Interfaces & Data Directory Selection

Select interface: "eth1" for Tap0 and select interface: "eth2" for Tap1. For now use the default capture data directory: "/var/nst/wuiout/wireshark". Your configuration should look similar to the NST WUI image caption above. Next select the "Select Multi-Tap Interfaces/Capture Data Directory" button to make your configuration known to NST.

One can also click on a "NIC Adapter" icon to view and control a specific network interface adapter. The caption below shows information for NIC Adapter: "eth2" and results from running the "ethtool eth2" command. Even though the interface state is: "Down", a link has been established and detected on this interface. This is valuable information to know prior to capturing on a particular network interface.

NIC Adapter Information And Control

Both interfaces are initially shown in the "Down" state indicated by the red down arrow superimposed on the "NIC Adapter" icons. The network interface will automatically be put in the "Up" state prior to starting a capture session.

Step: 3 Start Multi-Tap Capture

After you have selected your "Tap Interfaces" and "Capture Data Directory" next go to the "Start Multi-Tap Capture" section. For this demonstration we will use a "dumpcap" capture filter expression for "POP" and "SMTP" traffic on network: "172.28.8.0/24". Since we selected to use only 2 Taps (Tap0 and Tap1), then only 2 Taps will be dynamically available for configuration out of 4 Taps in the "Start Multi-Tap Capture" form as shown below.

Multi-Tap Start Capture Section


Fill in the fields similar to what are shown above. Use the "'dumpcap' Capture Filter Expressions" navigation aid to help fill in the "dumpcap" capture filter expression field for each Tap.